vim-patch:7.4.1777

Problem:    Newly added features can escape the sandbox.
Solution:   Add checks for restricted and secure. (Yasuhiro Matsumoto)
https://github.com/vim/vim/commit/3849992b16011e36a5cb5be4b127f843389b96fd

timer_start is missing check_secure.

The timer callback can, for example, call a function defined from outside the sandbox that does
stuff that would be disallowed from inside the sandbox. This is usually not allowed.

Cherry-pick eval.txt change from:
https://github.com/vim/vim/commit/68e6560b84f196c82e27a72669684d5506a3a837

Required for v8.1.2013.

1 files changed, 10 insertions, 0 deletions

diff --git a/test/functional/vimscript/timer_spec.lua b/test/functional/vimscript/timer_spec.lua
index 9ee0735e40..e45b64422f 100644
--- a/test/functional/vimscript/timer_spec.lua
+++ b/test/functional/vimscript/timer_spec.lua
@@ -3,6 +3,7 @@ local Screen = require('test.functional.ui.screen')
 local feed, eq, eval, ok = helpers.feed, helpers.eq, helpers.eval, helpers.ok
 local source, nvim_async, run = helpers.source, helpers.nvim_async, helpers.run
 local clear, command, funcs = helpers.clear, helpers.command, helpers.funcs
+local exc_exec = helpers.exc_exec
 local curbufmeths = helpers.curbufmeths
 local load_adjust = helpers.load_adjust
 local retry = helpers.retry
@@ -262,4 +263,13 @@ describe('timers', function()
 
     eq(2, eval('g:val'))
   end)
+
+  it("timer_start can't be used in the sandbox", function()
+    source [[
+      function! Scary(timer) abort
+        call execute('echo ''execute() should be disallowed''', '')
+      endfunction
+    ]]
+    eq("Vim(call):E48: Not allowed in sandbox", exc_exec("sandbox call timer_start(0, 'Scary')"))
+  end)
 end)