From: Bram Moolenaar Date: Wed, 22 May 2019 22:38:25 +0200 Subject: patch 8.1.1365: source command doesn't check for the sandbox Problem: Source command doesn't check for the sandbox. (Armin Razmjou) Solution: Check for the sandbox when sourcing a file. (cherry picked from commit 53575521406739cf20bbe4e384d88e7dca11f040) Signed-off-by: James McCoy --- src/getchar.c | 6 ++++++ src/testdir/test_source.vim | 9 +++++++++ src/version.c | 2 ++ 3 files changed, 17 insertions(+) --- a/src/getchar.c +++ b/src/getchar.c @@ -1407,6 +1407,12 @@ openscript( emsg(_(e_nesting)); return; } + + // Disallow sourcing a file in the sandbox, the commands would be executed + // later, possibly outside of the sandbox. + if (check_secure()) + return; + #ifdef FEAT_EVAL if (ignore_script) /* Not reading from script, also don't open one. Warning message? */ --- a/src/testdir/test_source.vim +++ b/src/testdir/test_source.vim @@ -36,3 +36,12 @@ func Test_source_cmd() au! SourcePre au! SourcePost endfunc + +func Test_source_sandbox() + new + call writefile(["Ohello\"], 'Xsourcehello') + source! Xsourcehello | echo + call assert_equal('hello', getline(1)) + call assert_fails('sandbox source! Xsourcehello', 'E48:') + bwipe! +endfunc --- a/src/version.c +++ b/src/version.c @@ -792,6 +792,8 @@ static char *(features[]) = static int included_patches[] = { /* Add new patch number below this line */ /**/ + 1365, +/**/ 1046, /**/ 948,