1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
|
From: Bram Moolenaar <Bram@vim.org>
Date: Wed, 22 May 2019 22:38:25 +0200
Subject: patch 8.1.1365: source command doesn't check for the sandbox
Problem: Source command doesn't check for the sandbox. (Armin Razmjou)
Solution: Check for the sandbox when sourcing a file.
(cherry picked from commit 53575521406739cf20bbe4e384d88e7dca11f040)
Signed-off-by: James McCoy <jamessan@debian.org>
---
src/getchar.c | 6 ++++++
src/testdir/test_source.vim | 9 +++++++++
src/version.c | 2 ++
3 files changed, 17 insertions(+)
--- a/src/getchar.c
+++ b/src/getchar.c
@@ -1407,6 +1407,12 @@ openscript(
emsg(_(e_nesting));
return;
}
+
+ // Disallow sourcing a file in the sandbox, the commands would be executed
+ // later, possibly outside of the sandbox.
+ if (check_secure())
+ return;
+
#ifdef FEAT_EVAL
if (ignore_script)
/* Not reading from script, also don't open one. Warning message? */
--- a/src/testdir/test_source.vim
+++ b/src/testdir/test_source.vim
@@ -36,3 +36,12 @@ func Test_source_cmd()
au! SourcePre
au! SourcePost
endfunc
+
+func Test_source_sandbox()
+ new
+ call writefile(["Ohello\<Esc>"], 'Xsourcehello')
+ source! Xsourcehello | echo
+ call assert_equal('hello', getline(1))
+ call assert_fails('sandbox source! Xsourcehello', 'E48:')
+ bwipe!
+endfunc
--- a/src/version.c
+++ b/src/version.c
@@ -792,6 +792,8 @@ static char *(features[]) =
static int included_patches[] =
{ /* Add new patch number below this line */
/**/
+ 1365,
+/**/
1046,
/**/
948,
|
