From 327e3fab9e66701334a55dd7893283acb85899a2 Mon Sep 17 00:00:00 2001 From: Christian Clason Date: Thu, 24 Aug 2023 09:07:35 +0900 Subject: vim-patch:3fc7a7e44abd MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit runtime: Fix typos in various files closes: vim/vim#12836 https://github.com/vim/vim/commit/3fc7a7e44abda6505ccd39a6d067db6e5173cbf6 Co-authored-by: Viktor Szépe --- runtime/ftplugin/zig.vim | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'runtime/ftplugin/zig.vim') diff --git a/runtime/ftplugin/zig.vim b/runtime/ftplugin/zig.vim index e740a52849..5f453fc8d1 100644 --- a/runtime/ftplugin/zig.vim +++ b/runtime/ftplugin/zig.vim @@ -17,7 +17,7 @@ compiler zig_build " Match Zig builtin fns setlocal iskeyword+=@-@ -" Recomended code style, no tabs and 4-space indentation +" Recommended code style, no tabs and 4-space indentation setlocal expandtab setlocal tabstop=8 setlocal softtabstop=4 -- cgit From 7bf0963d48ec76b1cdeee55edc8f2053eca87367 Mon Sep 17 00:00:00 2001 From: zeertzjq Date: Fri, 1 Sep 2023 11:38:31 +0800 Subject: vim-patch:9.0.1833: [security] runtime file fixes (#24969) Problem: runtime files may execute code in current dir Solution: only execute, if not run from current directory The perl, zig and ruby filetype plugins and the zip and gzip autoload plugins may try to load malicious executable files from the current working directory. This is especially a problem on windows, where the current directory is implicitly in your $PATH and windows may even run a file with the extension `.bat` because of $PATHEXT. So make sure that we are not trying to execute a file from the current directory. If this would be the case, error out (for the zip and gzip) plugins or silently do not run those commands (for the ftplugins). This assumes, that only the current working directory is bad. For all other directories, it is assumed that those directories were intentionally set to the $PATH by the user. https://github.com/vim/vim/commit/816fbcc262687b81fc46f82f7bbeb1453addfe0c Co-authored-by: Christian Brabandt --- runtime/ftplugin/zig.vim | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) (limited to 'runtime/ftplugin/zig.vim') diff --git a/runtime/ftplugin/zig.vim b/runtime/ftplugin/zig.vim index 5f453fc8d1..cd18bfe2bd 100644 --- a/runtime/ftplugin/zig.vim +++ b/runtime/ftplugin/zig.vim @@ -39,7 +39,9 @@ endif let &l:define='\v(|||^\s*\#\s*define)' -if !exists('g:zig_std_dir') && exists('*json_decode') && executable('zig') +" Safety check: don't execute zip from current directory +if !exists('g:zig_std_dir') && exists('*json_decode') && + \ executable('zig') && fnamemodify(exepath("zig"), ":p:h") != getcwd() silent let s:env = system('zig env') if v:shell_error == 0 let g:zig_std_dir = json_decode(s:env)['std_dir'] -- cgit From 5d1c1da3c90adece96f491e7f12fd76c03a881c9 Mon Sep 17 00:00:00 2001 From: Christian Clason Date: Wed, 6 Sep 2023 23:49:58 +0200 Subject: vim-patch:67c951df4c95 runtime(ftplugin): allow to exec if curdir is in PATH In case the current directory is present as valid $PATH entry, it is OK to call the program from it, even if vim curdir is in that same directory. (Without that patch, for instance, you will not be able to open .zip files while your current directory is /bin) closes: vim/vim#13027 https://github.com/vim/vim/commit/67c951df4c95981c716eeedb1b102d9668549e65 Co-authored-by: Anton Sharonov --- runtime/ftplugin/zig.vim | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) (limited to 'runtime/ftplugin/zig.vim') diff --git a/runtime/ftplugin/zig.vim b/runtime/ftplugin/zig.vim index cd18bfe2bd..45ea582615 100644 --- a/runtime/ftplugin/zig.vim +++ b/runtime/ftplugin/zig.vim @@ -40,14 +40,17 @@ endif let &l:define='\v(|||^\s*\#\s*define)' " Safety check: don't execute zip from current directory +let s:tmp_cwd = getcwd() if !exists('g:zig_std_dir') && exists('*json_decode') && - \ executable('zig') && fnamemodify(exepath("zig"), ":p:h") != getcwd() + \ executable('zig') && (fnamemodify(exepath("zig"), ":p:h") != s:tmp_cwd + \ || (index(split($PATH,has("win32")? ';' : ':'), s:tmp_cwd) != -1 && s:tmp_cwd != '.')) silent let s:env = system('zig env') if v:shell_error == 0 let g:zig_std_dir = json_decode(s:env)['std_dir'] endif unlet! s:env endif +unlet s:tmp_cwd if exists('g:zig_std_dir') let &l:path = &l:path . ',' . g:zig_std_dir -- cgit From ec753cf40db4d326c2fbbf5e5be0d249be561a41 Mon Sep 17 00:00:00 2001 From: Christian Clason Date: Wed, 6 Sep 2023 23:50:17 +0200 Subject: vim-patch:f7ac0ef50988 runtime: don't execute external commands when loading ftplugins This is a followup to 816fbcc262687b81fc46f82f7bbeb1453addfe0c (patch 9.0.1833: [security] runtime file fixes) It basically disables that external commands are run on loading of the filetype plugin, **unless** the user has set the `g:plugin_exec = 1` global variable in their configuration or for a specific filetype the variable g:_exec=1. There are a few more plugins, that may execute system commands like debchangelog, gitcommit, sh, racket, zsh, ps1 but those do at least do not run those commands by default during loading of the filetype plugin (there the command is mostly run as convenience for auto-completion or to provide documentation lookup). closes: vim/vim#13034 https://github.com/vim/vim/commit/f7ac0ef5098856bedca26e7073594a407c05636f Co-authored-by: Christian Brabandt Co-authored-by: Tim Pope --- runtime/ftplugin/zig.vim | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) (limited to 'runtime/ftplugin/zig.vim') diff --git a/runtime/ftplugin/zig.vim b/runtime/ftplugin/zig.vim index 45ea582615..2a081980cc 100644 --- a/runtime/ftplugin/zig.vim +++ b/runtime/ftplugin/zig.vim @@ -40,17 +40,17 @@ endif let &l:define='\v(|||^\s*\#\s*define)' " Safety check: don't execute zip from current directory -let s:tmp_cwd = getcwd() if !exists('g:zig_std_dir') && exists('*json_decode') && - \ executable('zig') && (fnamemodify(exepath("zig"), ":p:h") != s:tmp_cwd - \ || (index(split($PATH,has("win32")? ';' : ':'), s:tmp_cwd) != -1 && s:tmp_cwd != '.')) + \ executable('zig') && get(g:, 'zig_exec', get(g:, 'plugin_exec', 0)) + \ && (fnamemodify(exepath("zig"), ":p:h") != s:tmp_cwd + \ || (index(split($PATH,has("win32")? ';' : ':'), s:tmp_cwd) != -1 && s:tmp_cwd != '.')) silent let s:env = system('zig env') if v:shell_error == 0 let g:zig_std_dir = json_decode(s:env)['std_dir'] endif unlet! s:env endif -unlet s:tmp_cwd +unlet! s:tmp_cwd if exists('g:zig_std_dir') let &l:path = &l:path . ',' . g:zig_std_dir -- cgit From b9d9cd77421a7906d6e0a968a3c0ddd86e9923fe Mon Sep 17 00:00:00 2001 From: zeertzjq Date: Sat, 9 Sep 2023 17:47:28 +0800 Subject: vim-patch:partial:9.0.1886: Various Typos MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Problem: Various Typos Solution: Fix Typos This is a collection of typo related commits. closes: vim/vim#12753 closes: vim/vim#13016 https://github.com/vim/vim/commit/ee17b6f70d382ec6c5d8d27b56c4e84106ac8c55 Co-authored-by: Christian Brabandt Co-authored-by: Adri Verhoef Co-authored-by: Viktor Szépe Co-authored-by: nuid64 Co-authored-by: Meng Xiangzhuo Co-authored-by: Dominique Pellé --- runtime/ftplugin/zig.vim | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'runtime/ftplugin/zig.vim') diff --git a/runtime/ftplugin/zig.vim b/runtime/ftplugin/zig.vim index 2a081980cc..cfd7102b8d 100644 --- a/runtime/ftplugin/zig.vim +++ b/runtime/ftplugin/zig.vim @@ -39,7 +39,7 @@ endif let &l:define='\v(|||^\s*\#\s*define)' -" Safety check: don't execute zip from current directory +" Safety check: don't execute zig from current directory if !exists('g:zig_std_dir') && exists('*json_decode') && \ executable('zig') && get(g:, 'zig_exec', get(g:, 'plugin_exec', 0)) \ && (fnamemodify(exepath("zig"), ":p:h") != s:tmp_cwd -- cgit From e6d352d8d7d8a987d0bd9b2e13bfd395e1127c3e Mon Sep 17 00:00:00 2001 From: Gregory Anders Date: Thu, 19 Oct 2023 10:20:12 -0500 Subject: vim-patch:e08bfef88bd0 runtime(zig): Update Zig runtime files (vim/vim#13388) Update runtime files from upstream (https://github.com/zig/zig.vim) at commit 54c216e5306a5c3878a60596aacb94dca8652ab9. https://github.com/vim/vim/commit/e08bfef88bd05a9d27ee16c57cd10173e280f600 Co-authored-by: Gregory Anders <8965202+gpanders@users.noreply.github.com> --- runtime/ftplugin/zig.vim | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) (limited to 'runtime/ftplugin/zig.vim') diff --git a/runtime/ftplugin/zig.vim b/runtime/ftplugin/zig.vim index cfd7102b8d..291fe44b11 100644 --- a/runtime/ftplugin/zig.vim +++ b/runtime/ftplugin/zig.vim @@ -28,7 +28,7 @@ setlocal formatoptions-=t formatoptions+=croql setlocal suffixesadd=.zig,.zir if has('comments') - setlocal comments=:///,://!,://,:\\\\ + setlocal comments=:///,://!,:// setlocal commentstring=//\ %s endif @@ -53,7 +53,7 @@ endif unlet! s:tmp_cwd if exists('g:zig_std_dir') - let &l:path = &l:path . ',' . g:zig_std_dir + let &l:path = g:zig_std_dir . ',' . &l:path endif let b:undo_ftplugin = -- cgit From 26cdff0e92bf93a2afcb4a78e056780ea3f582e7 Mon Sep 17 00:00:00 2001 From: Christian Clason Date: Sat, 4 Nov 2023 11:37:42 +0100 Subject: vim-patch:cd8a3eaf5348 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit runtime(dist): centralize safe executable check and add vim library (vim/vim#13413) Follow up to 816fbcc26 (patch 9.0.1833: [security] runtime file fixes, 2023-08-31) and f7ac0ef50 (runtime: don't execute external commands when loading ftplugins, 2023-09-06). This puts the logic for safe executable checks in a single place, by introducing a central vim library, so all filetypes benefit from consistency. Notable changes: - dist#vim because the (autoload) namespace for a new runtime support library. Supporting functions should get documentation. It might make life easier for NeoVim devs to make the documentation a new file rather than cram it into existing files, though we may want cross-references to it somewhere… - The gzip and zip plugins need to be opted into by enabling execution of those programs (or the global plugin_exec). This needs documentation or discussion. - This fixes a bug in the zig plugin: code setting s:tmp_cwd was removed in f7ac0ef50 (runtime: don't execute external commands when loading ftplugins, 2023-09-06), but the variable was still referenced. Since the new function takes care of that automatically, the variable is no longer needed. https://github.com/vim/vim/commit/cd8a3eaf5348feacfecab4b374b7ea4ce6a97422 Co-authored-by: D. Ben Knoble --- runtime/ftplugin/zig.vim | 5 +---- 1 file changed, 1 insertion(+), 4 deletions(-) (limited to 'runtime/ftplugin/zig.vim') diff --git a/runtime/ftplugin/zig.vim b/runtime/ftplugin/zig.vim index 291fe44b11..28b8cd5a67 100644 --- a/runtime/ftplugin/zig.vim +++ b/runtime/ftplugin/zig.vim @@ -41,16 +41,13 @@ let &l:define='\v(|||^\s*\#\s*define)' " Safety check: don't execute zig from current directory if !exists('g:zig_std_dir') && exists('*json_decode') && - \ executable('zig') && get(g:, 'zig_exec', get(g:, 'plugin_exec', 0)) - \ && (fnamemodify(exepath("zig"), ":p:h") != s:tmp_cwd - \ || (index(split($PATH,has("win32")? ';' : ':'), s:tmp_cwd) != -1 && s:tmp_cwd != '.')) + \ executable('zig') && dist#vim#IsSafeExecutable('zig', 'zig') silent let s:env = system('zig env') if v:shell_error == 0 let g:zig_std_dir = json_decode(s:env)['std_dir'] endif unlet! s:env endif -unlet! s:tmp_cwd if exists('g:zig_std_dir') let &l:path = g:zig_std_dir . ',' . &l:path -- cgit