To: vim-dev@vim.org Subject: Patch 6.1.265 Fcc: outbox From: Bram Moolenaar Mime-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 8bit ------------ Patch 6.1.265 Problem: libcall() can be used in 'foldexpr' to call any system function. rename(), delete() and remote_send() can also be used in 'foldexpr'. These are security problems. (Georgi Guninski) Solution: Don't allow using libcall(), rename(), delete(), remote_send() and similar functions in the sandbox. Files: src/eval.c *** ../vim61.264/src/eval.c Sun Dec 22 11:22:09 2002 --- src/eval.c Mon Dec 23 21:19:45 2002 *************** *** 3346,3351 **** --- 3346,3354 ---- else retvar->var_val.var_string = NULL; + if (check_restricted() || check_secure()) + return; + #ifdef FEAT_LIBCALL /* The first two args must be strings, otherwise its meaningless */ if (argvars[0].var_type == VAR_STRING && argvars[1].var_type == VAR_STRING) *************** *** 3378,3384 **** VAR argvars; VAR retvar; { ! retvar->var_val.var_number = mch_remove(get_var_string(&argvars[0])); } /* --- 3381,3390 ---- VAR argvars; VAR retvar; { ! if (check_restricted() || check_secure()) ! retvar->var_val.var_number = -1; ! else ! retvar->var_val.var_number = mch_remove(get_var_string(&argvars[0])); } /* *************** *** 4625,4631 **** --- 4631,4642 ---- int histype; char_u *str; char_u buf[NUMBUFLEN]; + #endif + retvar->var_val.var_number = FALSE; + if (check_restricted() || check_secure()) + return; + #ifdef FEAT_CMDHIST histype = get_histtype(get_var_string(&argvars[0])); if (histype >= 0) { *************** *** 4638,4644 **** } } #endif - retvar->var_val.var_number = FALSE; } /* --- 4649,4654 ---- *************** *** 5267,5273 **** { char_u buf[NUMBUFLEN]; ! retvar->var_val.var_number = vim_rename(get_var_string(&argvars[0]), get_var_string_buf(&argvars[1], buf)); } --- 5277,5286 ---- { char_u buf[NUMBUFLEN]; ! if (check_restricted() || check_secure()) ! retvar->var_val.var_number = -1; ! else ! retvar->var_val.var_number = vim_rename(get_var_string(&argvars[0]), get_var_string_buf(&argvars[1], buf)); } *************** *** 5547,5552 **** --- 5560,5567 ---- VAR varp; char_u nbuf[NUMBUFLEN]; + if (check_restricted() || check_secure()) + return; ++emsg_off; buf = get_buf_var(&argvars[0]); varname = get_var_string(&argvars[1]); *************** *** 5633,5638 **** --- 5648,5655 ---- VAR varp; char_u nbuf[NUMBUFLEN]; + if (check_restricted() || check_secure()) + return; ++emsg_off; win = find_win_by_nr(&argvars[0]); varname = get_var_string(&argvars[1]); *************** *** 5765,5770 **** --- 5782,5792 ---- var v; char_u *s; + if (check_restricted() || check_secure()) + { + retvar->var_val.var_number = -1; + return; + } # ifdef WIN32 int n = 0; *************** *** 5805,5824 **** char_u *r = NULL; #ifdef FEAT_CLIENTSERVER # ifdef WIN32 ! /* The server's HWND is encoded in the 'id' parameter */ ! int n = 0; ! sscanf(get_var_string(&argvars[0]), "%x", &n); ! if (n != 0) ! r = serverGetReply((HWND)n, FALSE, TRUE, TRUE); ! if (r == NULL) # else ! if (check_connection() == FAIL ! || serverReadReply(X_DISPLAY, serverStrToWin(get_var_string(&argvars[0])), &r, FALSE) < 0) # endif ! EMSG(_("E277: Unable to read a server reply")); #endif retvar->var_type = VAR_STRING; retvar->var_val.var_string = r; --- 5827,5848 ---- char_u *r = NULL; #ifdef FEAT_CLIENTSERVER + if (!check_restricted() && !check_secure()) + { # ifdef WIN32 ! /* The server's HWND is encoded in the 'id' parameter */ ! int n = 0; ! sscanf(get_var_string(&argvars[0]), "%x", &n); ! if (n != 0) ! r = serverGetReply((HWND)n, FALSE, TRUE, TRUE); ! if (r == NULL) # else ! if (check_connection() == FAIL || serverReadReply(X_DISPLAY, serverStrToWin(get_var_string(&argvars[0])), &r, FALSE) < 0) # endif ! EMSG(_("E277: Unable to read a server reply")); ! } #endif retvar->var_type = VAR_STRING; retvar->var_val.var_string = r; *************** *** 5836,5842 **** char_u *reply = get_var_string_buf(&argvars[1], buf); retvar->var_val.var_number = -1; ! # ifndef WIN32 if (check_connection() == FAIL) return; # endif --- 5860,5868 ---- char_u *reply = get_var_string_buf(&argvars[1], buf); retvar->var_val.var_number = -1; ! if (check_restricted() || check_secure()) ! return; ! # ifdef FEAT_X11 if (check_connection() == FAIL) return; # endif *************** *** 5870,5875 **** --- 5896,5904 ---- # else Window w; # endif + + if (check_restricted() || check_secure()) + return; # ifdef FEAT_X11 if (check_connection() == FAIL) *** ../vim61.264/src/version.c Sun Dec 22 11:22:09 2002 --- src/version.c Mon Dec 23 21:14:33 2002 *************** *** 608,609 **** --- 608,611 ---- { /* Add new patch number below this line */ + /**/ + 265, /**/ -- Fingers not found - Pound head on keyboard to continue. /// Bram Moolenaar -- Bram@moolenaar.net -- http://www.moolenaar.net \\\ /// Creator of Vim - Vi IMproved -- http://www.vim.org \\\ \\\ Project leader for A-A-P -- http://www.a-a-p.org /// \\\ Lord Of The Rings helps Uganda - http://iccf-holland.org/lotr.html ///