From 26cdff0e92bf93a2afcb4a78e056780ea3f582e7 Mon Sep 17 00:00:00 2001 From: Christian Clason Date: Sat, 4 Nov 2023 11:37:42 +0100 Subject: vim-patch:cd8a3eaf5348 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit runtime(dist): centralize safe executable check and add vim library (vim/vim#13413) Follow up to 816fbcc26 (patch 9.0.1833: [security] runtime file fixes, 2023-08-31) and f7ac0ef50 (runtime: don't execute external commands when loading ftplugins, 2023-09-06). This puts the logic for safe executable checks in a single place, by introducing a central vim library, so all filetypes benefit from consistency. Notable changes: - dist#vim because the (autoload) namespace for a new runtime support library. Supporting functions should get documentation. It might make life easier for NeoVim devs to make the documentation a new file rather than cram it into existing files, though we may want cross-references to it somewhere… - The gzip and zip plugins need to be opted into by enabling execution of those programs (or the global plugin_exec). This needs documentation or discussion. - This fixes a bug in the zig plugin: code setting s:tmp_cwd was removed in f7ac0ef50 (runtime: don't execute external commands when loading ftplugins, 2023-09-06), but the variable was still referenced. Since the new function takes care of that automatically, the variable is no longer needed. https://github.com/vim/vim/commit/cd8a3eaf5348feacfecab4b374b7ea4ce6a97422 Co-authored-by: D. Ben Knoble --- runtime/autoload/dist/vim.vim | 17 +++++++++++++++++ runtime/autoload/gzip.vim | 5 +---- runtime/autoload/zip.vim | 6 +----- 3 files changed, 19 insertions(+), 9 deletions(-) create mode 100644 runtime/autoload/dist/vim.vim (limited to 'runtime/autoload') diff --git a/runtime/autoload/dist/vim.vim b/runtime/autoload/dist/vim.vim new file mode 100644 index 0000000000..57b757f021 --- /dev/null +++ b/runtime/autoload/dist/vim.vim @@ -0,0 +1,17 @@ +vim9script + +# Vim runtime support library +# +# Maintainer: The Vim Project +# Last Change: 2023 Oct 25 + +export def IsSafeExecutable(filetype: string, executable: string): bool + var cwd = getcwd() + return get(g:, filetype .. '_exec', get(g:, 'plugin_exec', 0)) + && (fnamemodify(exepath(executable), ':p:h') !=# cwd + || (split($PATH, has('win32') ? ';' : ':')->index(cwd) != -1 + && cwd != '.')) +enddef + +# Uncomment this line to check for compilation errors early +# defcompile diff --git a/runtime/autoload/gzip.vim b/runtime/autoload/gzip.vim index 6d0bb13401..26b1cda034 100644 --- a/runtime/autoload/gzip.vim +++ b/runtime/autoload/gzip.vim @@ -11,10 +11,7 @@ fun s:check(cmd) let name = substitute(a:cmd, '\(\S*\).*', '\1', '') if !exists("s:have_" . name) " safety check, don't execute anything from the current directory - let s:tmp_cwd = getcwd() - let f = (fnamemodify(exepath(name), ":p:h") !=# s:tmp_cwd - \ || (index(split($PATH,has("win32")? ';' : ':'), s:tmp_cwd) != -1 && s:tmp_cwd != '.')) - unlet s:tmp_cwd + let f = dist#vim#IsSafeExecutable('gzip', name) if !f echoerr "Warning: NOT executing " .. name .. " from current directory!" endif diff --git a/runtime/autoload/zip.vim b/runtime/autoload/zip.vim index 8b39c91c3a..e61293c357 100644 --- a/runtime/autoload/zip.vim +++ b/runtime/autoload/zip.vim @@ -57,14 +57,10 @@ if !exists("g:zip_extractcmd") let g:zip_extractcmd= g:zip_unzipcmd endif -let s:tmp_cwd = getcwd() -if (fnamemodify(exepath(g:zip_unzipcmd), ":p:h") ==# getcwd() - \ && (index(split($PATH,has("win32")? ';' : ':'), s:tmp_cwd) == -1 || s:tmp_cwd == '.')) - unlet s:tmp_cwd +if !dist#vim#IsSafeExecutable('zip', g:zip_unzipcmd) echoerr "Warning: NOT executing " .. g:zip_unzipcmd .. " from current directory!" finish endif -unlet s:tmp_cwd " ---------------- " Functions: {{{1 -- cgit