vim-patch:8.1.1143: may pass weird strings to file name expansion

Problem:    May pass weird strings to file name expansion.
Solution:   Check for matching characters.  Disallow control characters.
https://github.com/vim/vim/commit/8f130eda4747e4a4d68353cdb650f359fd01469b

5 files changed, 52 insertions, 9 deletions

diff --git a/src/nvim/option.c b/src/nvim/option.c
index f03dcc2bf2..9168509aa8 100644
--- a/src/nvim/option.c
+++ b/src/nvim/option.c
@@ -2509,18 +2509,35 @@ static char *set_string_option(const int opt_idx, const char *const value,
   return r;
 }
 
-/// Return true if "val" is a valid 'filetype' name.
-/// Also used for 'syntax' and 'keymap'.
-static bool valid_filetype(char_u *val)
+/// Return true if "val" is a valid name: only consists of alphanumeric ASCII
+/// characters or characters in "allowed".
+static bool valid_name(const char_u *val, const char *allowed)
+  FUNC_ATTR_NONNULL_ALL FUNC_ATTR_PURE FUNC_ATTR_WARN_UNUSED_RESULT
 {
-  for (char_u *s = val; *s != NUL; s++) {
-    if (!ASCII_ISALNUM(*s) && vim_strchr((char_u *)".-_", *s) == NULL) {
+  for (const char_u *s = val; *s != NUL; s++) {
+    if (!ASCII_ISALNUM(*s)
+        && vim_strchr((const char_u *)allowed, *s) == NULL) {
       return false;
     }
   }
   return true;
 }
 
+/// Return true if "val" is a valid 'filetype' name.
+/// Also used for 'syntax' and 'keymap'.
+static bool valid_filetype(const char_u *val)
+  FUNC_ATTR_NONNULL_ALL FUNC_ATTR_PURE FUNC_ATTR_WARN_UNUSED_RESULT
+{
+  return valid_name(val, ".-_");
+}
+
+/// Return true if "val" is a valid 'spellang' value.
+bool valid_spellang(const char_u *val)
+  FUNC_ATTR_NONNULL_ALL FUNC_ATTR_PURE FUNC_ATTR_WARN_UNUSED_RESULT
+{
+  return valid_name(val, ".-_,");
+}
+
 /// Handle string options that need some action to perform when changed.
 /// Returns NULL for success, or an error message for an error.
 static char_u *
@@ -3032,7 +3049,11 @@ ambw_end:
              || varp == &(curwin->w_s->b_p_spf)) {
     // When 'spelllang' or 'spellfile' is set and there is a window for this
     // buffer in which 'spell' is set load the wordlists.
-    errmsg = did_set_spell_option(varp == &(curwin->w_s->b_p_spf));
+    if (!valid_spellang(*varp)) {
+      errmsg = e_invarg;
+    } else {
+      errmsg = did_set_spell_option(varp == &(curwin->w_s->b_p_spf));
+    }
   } else if (varp == &(curwin->w_s->b_p_spc)) {
     // When 'spellcapcheck' is set compile the regexp program.
     errmsg = compile_cap_prog(curwin->w_s);
diff --git a/src/nvim/path.c b/src/nvim/path.c
index a53870acb8..0142724a5b 100644
--- a/src/nvim/path.c
+++ b/src/nvim/path.c
@@ -1120,10 +1120,22 @@ static bool has_env_var(char_u *p)
 static bool has_special_wildchar(char_u *p)
 {
   for (; *p; MB_PTR_ADV(p)) {
-    // Allow for escaping
-    if (*p == '\\' && p[1] != NUL) {
+    // Disallow line break characters.
+    if (*p == '\r' || *p == '\n') {
+      break;
+    }
+    // Allow for escaping.
+    if (*p == '\\' && p[1] != NUL && p[1] != '\r' && p[1] != '\n') {
       p++;
     } else if (vim_strchr((char_u *)SPECIAL_WILDCHAR, *p) != NULL) {
+      // A { must be followed by a matching }.
+      if (*p == '{' && vim_strchr(p, '}') == NULL) {
+        continue;
+      }
+      // A quote and backtick must be followed by another one.
+      if ((*p == '`' || *p == '\'') && vim_strchr(p, *p) == NULL) {
+        continue;
+      }
       return true;
     }
   }
diff --git a/src/nvim/spell.c b/src/nvim/spell.c
index c75a53a777..a221f3fd75 100644
--- a/src/nvim/spell.c
+++ b/src/nvim/spell.c
@@ -2008,6 +2008,10 @@ char_u *did_set_spelllang(win_T *wp)
     region = NULL;
     len = (int)STRLEN(lang);
 
+    if (!valid_spellang(lang)) {
+      continue;
+    }
+
     if (STRCMP(lang, "cjk") == 0) {
       wp->w_s->b_cjk = 1;
       continue;
diff --git a/src/nvim/testdir/test_escaped_glob.vim b/src/nvim/testdir/test_escaped_glob.vim
index aad3a1e835..2bfd82c296 100644
--- a/src/nvim/testdir/test_escaped_glob.vim
+++ b/src/nvim/testdir/test_escaped_glob.vim
@@ -17,7 +17,7 @@ function Test_glob()
   " Setting 'shell' to an invalid name causes a memory leak.
   sandbox call assert_equal("", glob('Xxx\{'))
   sandbox call assert_equal("", glob('Xxx\$'))
-  w! Xxx{
+  w! Xxx\{
   " } to fix highlighting
   w! Xxx\$
   sandbox call assert_equal("Xxx{", glob('Xxx\{'))
diff --git a/src/nvim/testdir/test_spell.vim b/src/nvim/testdir/test_spell.vim
index e2016d7927..098cd957ae 100644
--- a/src/nvim/testdir/test_spell.vim
+++ b/src/nvim/testdir/test_spell.vim
@@ -151,6 +151,12 @@ func Test_spellinfo()
   set nospell spelllang=en
   call assert_fails('spellinfo', 'E756:')
 
+  call assert_fails('set spelllang=foo/bar', 'E474:')
+  call assert_fails('set spelllang=foo\ bar', 'E474:')
+  call assert_fails("set spelllang=foo\\\nbar", 'E474:')
+  call assert_fails("set spelllang=foo\\\rbar", 'E474:')
+  call assert_fails("set spelllang=foo+bar", 'E474:')
+
   set enc& spell& spelllang&
   bwipe
 endfunc