Mercurial > vim
view src/testdir/test_number.vim @ 33664:06b59278bfcf v9.0.2070
patch 9.0.2070: [security] disallow setting env in restricted mode
Commit: https://github.com/vim/vim/commit/6b89dd6a7257a1e2e9c7ea070b407bc4674a5118
Author: Christian Brabandt <cb@256bit.org>
Date: Thu Oct 26 22:14:17 2023 +0200
patch 9.0.2070: [security] disallow setting env in restricted mode
Problem: [security] disallow setting env in restricted mode
Solution: Setting environment variables in restricted mode could
potentially be used to execute shell commands. Disallow this.
restricted mode: disable allow setting of environment variables
Setting environment variables in restricted mode, may have some unwanted
consequences. So, for example by setting $GCONV_PATH in restricted mode
and then calling the iconv() function, one may be able to execute some
unwanted payload, because the `iconv_open()` function internally uses
the `$GCONV_PATH` variable to find its conversion data.
So let's disable setting environment variables, even so this is no
complete protection, since we are not clearing the existing environment.
I tried a few ways but wasn't successful :(
One could also argue to disable the iconv() function completely in
restricted mode, but who knows what other API functions can be
influenced by setting some other unrelated environment variables.
So let's leave it as it is currently.
closes: #13394
See: https://huntr.com/bounties/b0a2eda1-459c-4e36-98e6-0cc7d7faccfe/
Signed-off-by: Christian Brabandt <cb@256bit.org>
author | Christian Brabandt <cb@256bit.org> |
---|---|
date | Thu, 26 Oct 2023 22:30:03 +0200 |
parents | 218363931f5d |
children | 7afcc5481eb7 |
line wrap: on
line source
" Test for 'number' and 'relativenumber' source check.vim source view_util.vim source screendump.vim func s:screen_lines(start, end) abort return ScreenLines([a:start, a:end], 8) endfunc func s:compare_lines(expect, actual) call assert_equal(a:expect, a:actual) endfunc func s:test_windows(h, w) abort call NewWindow(a:h, a:w) endfunc func s:close_windows() abort call CloseWindow() endfunc func s:validate_cursor() abort " update skipcol. " wincol(): " f_wincol " -> validate_cursor " -> curs_columns call wincol() endfunc func Test_set_options() set nu rnu call assert_equal(1, &nu) call assert_equal(1, &rnu) call s:test_windows(10, 20) call assert_equal(1, &nu) call assert_equal(1, &rnu) call s:close_windows() set nu& rnu& endfunc func Test_set_global_and_local() " setlocal must NOT reset the other global value set nonu nornu setglobal nu setlocal rnu call assert_equal(1, &g:nu) set nonu nornu setglobal rnu setlocal nu call assert_equal(1, &g:rnu) " setglobal MUST reset the other global value set nonu nornu setglobal nu setglobal rnu call assert_equal(1, &g:nu) set nonu nornu setglobal rnu setglobal nu call assert_equal(1, &g:rnu) " set MUST reset the other global value set nonu nornu set nu set rnu call assert_equal(1, &g:nu) set nonu nornu set rnu set nu call assert_equal(1, &g:rnu) set nu& rnu& endfunc func Test_number() call s:test_windows(10, 20) call setline(1, ["abcdefghij", "klmnopqrst", "uvwxyzABCD", "EFGHIJKLMN", "OPQRSTUVWX", "YZ"]) setl number let lines = s:screen_lines(1, 4) let expect = [ \ " 1 abcd", \ " 2 klmn", \ " 3 uvwx", \ " 4 EFGH", \ ] call s:compare_lines(expect, lines) call s:close_windows() endfunc func Test_relativenumber() call s:test_windows(10, 20) call setline(1, ["abcdefghij", "klmnopqrst", "uvwxyzABCD", "EFGHIJKLMN", "OPQRSTUVWX", "YZ"]) 3 setl relativenumber let lines = s:screen_lines(1, 6) let expect = [ \ " 2 abcd", \ " 1 klmn", \ " 0 uvwx", \ " 1 EFGH", \ " 2 OPQR", \ " 3 YZ ", \ ] call s:compare_lines(expect, lines) call s:close_windows() endfunc func Test_number_with_relativenumber() call s:test_windows(10, 20) call setline(1, ["abcdefghij", "klmnopqrst", "uvwxyzABCD", "EFGHIJKLMN", "OPQRSTUVWX", "YZ"]) 4 setl number relativenumber let lines = s:screen_lines(1, 6) let expect = [ \ " 3 abcd", \ " 2 klmn", \ " 1 uvwx", \ "4 EFGH", \ " 1 OPQR", \ " 2 YZ ", \ ] call s:compare_lines(expect, lines) call s:close_windows() endfunc func Test_number_with_linewrap1() call s:test_windows(3, 20) normal! 61ia setl number wrap call s:validate_cursor() let lines = s:screen_lines(1, 3) let expect = [ \ "<<< aaaa", \ " aaaa", \ " aaaa", \ ] call s:compare_lines(expect, lines) call s:close_windows() endfunc " Pending: https://groups.google.com/forum/#!topic/vim_dev/tzNKP7EDWYI func XTest_number_with_linewrap2() call s:test_windows(3, 20) normal! 61ia setl number wrap call s:validate_cursor() 0 call s:validate_cursor() let lines = s:screen_lines(1, 3) let expect = [ \ " 1 aaaa", \ " aaaa", \ " aaaa", \ ] call s:compare_lines(expect, lines) call s:close_windows() endfunc " Pending: https://groups.google.com/forum/#!topic/vim_dev/tzNKP7EDWYI func XTest_number_with_linewrap3() call s:test_windows(4, 20) normal! 81ia setl number wrap call s:validate_cursor() setl nonumber call s:validate_cursor() let lines = s:screen_lines(1, 4) let expect = [ \ "aaaaaaaa", \ "aaaaaaaa", \ "aaaaaaaa", \ "a ", \ ] call s:compare_lines(expect, lines) call s:close_windows() endfunc func Test_numberwidth() call s:test_windows(10, 20) call setline(1, repeat(['aaaa'], 10)) setl number numberwidth=6 let lines = s:screen_lines(1, 3) let expect = [ \ " 1 aa", \ " 2 aa", \ " 3 aa", \ ] call s:compare_lines(expect, lines) set relativenumber let lines = s:screen_lines(1, 3) let expect = [ \ "1 aa", \ " 1 aa", \ " 2 aa", \ ] call s:compare_lines(expect, lines) set nonumber let lines = s:screen_lines(1, 3) let expect = [ \ " 0 aa", \ " 1 aa", \ " 2 aa", \ ] call s:compare_lines(expect, lines) call s:close_windows() endfunc func Test_numberwidth_adjusted() call s:test_windows(10, 20) call setline(1, repeat(['aaaa'], 10000)) setl number numberwidth=4 let lines = s:screen_lines(1, 3) let expect = [ \ " 1 aa", \ " 2 aa", \ " 3 aa", \ ] call s:compare_lines(expect, lines) $ let lines = s:screen_lines(8, 10) let expect = [ \ " 9998 aa", \ " 9999 aa", \ "10000 aa", \ ] call s:compare_lines(expect, lines) setl relativenumber let lines = s:screen_lines(8, 10) let expect = [ \ " 2 aa", \ " 1 aa", \ "10000 aa", \ ] call s:compare_lines(expect, lines) setl nonumber let lines = s:screen_lines(8, 10) let expect = [ \ " 2 aaaa", \ " 1 aaaa", \ " 0 aaaa", \ ] call s:compare_lines(expect, lines) call s:close_windows() endfunc " This was causing a memcheck error func Test_relativenumber_uninitialised() new set rnu call setline(1, ["a", "b"]) redraw call feedkeys("j", 'xt') redraw bwipe! endfunc func Test_relativenumber_colors() CheckScreendump let lines =<< trim [CODE] call setline(1, range(200)) 111 set number relativenumber hi LineNr ctermfg=red [CODE] call writefile(lines, 'XTest_relnr', 'D') " Check that the balloon shows up after a mouse move let buf = RunVimInTerminal('-S XTest_relnr', {'rows': 10, 'cols': 50}) call TermWait(buf, 50) " Default colors call VerifyScreenDump(buf, 'Test_relnr_colors_1', {}) call term_sendkeys(buf, ":hi LineNrAbove ctermfg=blue\<CR>:\<CR>") call VerifyScreenDump(buf, 'Test_relnr_colors_2', {}) call term_sendkeys(buf, ":hi LineNrBelow ctermfg=green\<CR>:\<CR>") call VerifyScreenDump(buf, 'Test_relnr_colors_3', {}) call term_sendkeys(buf, ":hi clear LineNrAbove\<CR>") call VerifyScreenDump(buf, 'Test_relnr_colors_4', {}) " clean up call StopVimInTerminal(buf) endfunc func Test_relativenumber_callback() CheckScreendump CheckFeature timers let lines =<< trim END call setline(1, ['aaaaa', 'bbbbb', 'ccccc', 'ddddd']) set relativenumber call cursor(4, 1) func Func(timer) call cursor(1, 1) endfunc call timer_start(300, 'Func') END call writefile(lines, 'Xrnu_timer', 'D') let buf = RunVimInTerminal('-S Xrnu_timer', #{rows: 8}) call TermWait(buf, 310) call VerifyScreenDump(buf, 'Test_relativenumber_callback_1', {}) call StopVimInTerminal(buf) endfunc " Test for displaying line numbers with 'rightleft' func Test_number_rightleft() CheckFeature rightleft new setlocal number setlocal rightleft call setline(1, range(1, 1000)) normal! 9Gzt redraw! call assert_match('^\s\+9 9$', Screenline(1)) normal! 10Gzt redraw! call assert_match('^\s\+01 10$', Screenline(1)) normal! 100Gzt redraw! call assert_match('^\s\+001 100$', Screenline(1)) normal! 1000Gzt redraw! call assert_match('^\s\+0001 1000$', Screenline(1)) bw! endfunc " This used to cause a divide by zero func Test_number_no_text_virtual_edit() vnew call setline(1, ['line one', 'line two']) set number virtualedit=all normal w 4wincmd | normal j bwipe! endfunc " vim: shiftwidth=2 sts=2 expandtab