From e3f36377c156749bbdafc46d8a8cd017f378b4b5 Mon Sep 17 00:00:00 2001 From: Christian Clason Date: Sun, 23 Apr 2023 15:22:55 +0200 Subject: vim-patch:71badf9547e8 (#23285) Update runtime files https://github.com/vim/vim/commit/71badf9547e8f89571b9a095183671cbb333d528 Co-authored-by: Bram Moolenaar --- runtime/autoload/zip.vim | 12 ++++++++---- 1 file changed, 8 insertions(+), 4 deletions(-) (limited to 'runtime/autoload/zip.vim') diff --git a/runtime/autoload/zip.vim b/runtime/autoload/zip.vim index bc9b62ddb0..8dda30c418 100644 --- a/runtime/autoload/zip.vim +++ b/runtime/autoload/zip.vim @@ -1,7 +1,7 @@ " zip.vim: Handles browsing zipfiles " AUTOLOAD PORTION -" Date: Nov 08, 2021 -" Version: 32 +" Date: Mar 12, 2023 +" Version: 33 " Maintainer: Charles E Campbell " License: Vim License (see vim's :help license) " Copyright: Copyright (C) 2005-2019 Charles E. Campbell {{{1 @@ -20,7 +20,7 @@ if &cp || exists("g:loaded_zip") finish endif -let g:loaded_zip= "v32" +let g:loaded_zip= "v33" if v:version < 702 echohl WarningMsg echo "***warning*** this version of zip needs vim 7.2 or later" @@ -160,10 +160,14 @@ endfun " --------------------------------------------------------------------- " ZipBrowseSelect: {{{2 fun! s:ZipBrowseSelect() -" call Dfunc("ZipBrowseSelect() zipfile<".b:zipfile."> curfile<".expand("%").">") + " call Dfunc("ZipBrowseSelect() zipfile<".((exists("b:zipfile"))? b:zipfile : "n/a")."> curfile<".expand("%").">") let repkeep= &report set report=10 let fname= getline(".") + if !exists("b:zipfile") +" call Dret("ZipBrowseSelect : b:zipfile doesn't exist!") + return + endif " sanity check if fname =~ '^"' -- cgit From 7bf0963d48ec76b1cdeee55edc8f2053eca87367 Mon Sep 17 00:00:00 2001 From: zeertzjq Date: Fri, 1 Sep 2023 11:38:31 +0800 Subject: vim-patch:9.0.1833: [security] runtime file fixes (#24969) Problem: runtime files may execute code in current dir Solution: only execute, if not run from current directory The perl, zig and ruby filetype plugins and the zip and gzip autoload plugins may try to load malicious executable files from the current working directory. This is especially a problem on windows, where the current directory is implicitly in your $PATH and windows may even run a file with the extension `.bat` because of $PATHEXT. So make sure that we are not trying to execute a file from the current directory. If this would be the case, error out (for the zip and gzip) plugins or silently do not run those commands (for the ftplugins). This assumes, that only the current working directory is bad. For all other directories, it is assumed that those directories were intentionally set to the $PATH by the user. https://github.com/vim/vim/commit/816fbcc262687b81fc46f82f7bbeb1453addfe0c Co-authored-by: Christian Brabandt --- runtime/autoload/zip.vim | 4 ++++ 1 file changed, 4 insertions(+) (limited to 'runtime/autoload/zip.vim') diff --git a/runtime/autoload/zip.vim b/runtime/autoload/zip.vim index 8dda30c418..0331a542ac 100644 --- a/runtime/autoload/zip.vim +++ b/runtime/autoload/zip.vim @@ -57,6 +57,10 @@ if !exists("g:zip_extractcmd") let g:zip_extractcmd= g:zip_unzipcmd endif +if fnamemodify(exepath(g:zip_unzipcmd), ":p:h") ==# getcwd() + echoerr "Warning: NOT executing " .. g:zip_unzipcmd .. " from current directory!" + finish +endif " ---------------- " Functions: {{{1 " ---------------- -- cgit From 5d1c1da3c90adece96f491e7f12fd76c03a881c9 Mon Sep 17 00:00:00 2001 From: Christian Clason Date: Wed, 6 Sep 2023 23:49:58 +0200 Subject: vim-patch:67c951df4c95 runtime(ftplugin): allow to exec if curdir is in PATH In case the current directory is present as valid $PATH entry, it is OK to call the program from it, even if vim curdir is in that same directory. (Without that patch, for instance, you will not be able to open .zip files while your current directory is /bin) closes: vim/vim#13027 https://github.com/vim/vim/commit/67c951df4c95981c716eeedb1b102d9668549e65 Co-authored-by: Anton Sharonov --- runtime/autoload/zip.vim | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) (limited to 'runtime/autoload/zip.vim') diff --git a/runtime/autoload/zip.vim b/runtime/autoload/zip.vim index 0331a542ac..8b39c91c3a 100644 --- a/runtime/autoload/zip.vim +++ b/runtime/autoload/zip.vim @@ -57,10 +57,15 @@ if !exists("g:zip_extractcmd") let g:zip_extractcmd= g:zip_unzipcmd endif -if fnamemodify(exepath(g:zip_unzipcmd), ":p:h") ==# getcwd() +let s:tmp_cwd = getcwd() +if (fnamemodify(exepath(g:zip_unzipcmd), ":p:h") ==# getcwd() + \ && (index(split($PATH,has("win32")? ';' : ':'), s:tmp_cwd) == -1 || s:tmp_cwd == '.')) + unlet s:tmp_cwd echoerr "Warning: NOT executing " .. g:zip_unzipcmd .. " from current directory!" finish endif +unlet s:tmp_cwd + " ---------------- " Functions: {{{1 " ---------------- -- cgit From 26cdff0e92bf93a2afcb4a78e056780ea3f582e7 Mon Sep 17 00:00:00 2001 From: Christian Clason Date: Sat, 4 Nov 2023 11:37:42 +0100 Subject: vim-patch:cd8a3eaf5348 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit runtime(dist): centralize safe executable check and add vim library (vim/vim#13413) Follow up to 816fbcc26 (patch 9.0.1833: [security] runtime file fixes, 2023-08-31) and f7ac0ef50 (runtime: don't execute external commands when loading ftplugins, 2023-09-06). This puts the logic for safe executable checks in a single place, by introducing a central vim library, so all filetypes benefit from consistency. Notable changes: - dist#vim because the (autoload) namespace for a new runtime support library. Supporting functions should get documentation. It might make life easier for NeoVim devs to make the documentation a new file rather than cram it into existing files, though we may want cross-references to it somewhere… - The gzip and zip plugins need to be opted into by enabling execution of those programs (or the global plugin_exec). This needs documentation or discussion. - This fixes a bug in the zig plugin: code setting s:tmp_cwd was removed in f7ac0ef50 (runtime: don't execute external commands when loading ftplugins, 2023-09-06), but the variable was still referenced. Since the new function takes care of that automatically, the variable is no longer needed. https://github.com/vim/vim/commit/cd8a3eaf5348feacfecab4b374b7ea4ce6a97422 Co-authored-by: D. Ben Knoble --- runtime/autoload/zip.vim | 6 +----- 1 file changed, 1 insertion(+), 5 deletions(-) (limited to 'runtime/autoload/zip.vim') diff --git a/runtime/autoload/zip.vim b/runtime/autoload/zip.vim index 8b39c91c3a..e61293c357 100644 --- a/runtime/autoload/zip.vim +++ b/runtime/autoload/zip.vim @@ -57,14 +57,10 @@ if !exists("g:zip_extractcmd") let g:zip_extractcmd= g:zip_unzipcmd endif -let s:tmp_cwd = getcwd() -if (fnamemodify(exepath(g:zip_unzipcmd), ":p:h") ==# getcwd() - \ && (index(split($PATH,has("win32")? ';' : ':'), s:tmp_cwd) == -1 || s:tmp_cwd == '.')) - unlet s:tmp_cwd +if !dist#vim#IsSafeExecutable('zip', g:zip_unzipcmd) echoerr "Warning: NOT executing " .. g:zip_unzipcmd .. " from current directory!" finish endif -unlet s:tmp_cwd " ---------------- " Functions: {{{1 -- cgit