patch 8.1.0538: evaluating a modeline might invoke using a shell command

Problem: Evaluating a modeline might invoke using a shell command. (Paul Huber) Solution: Set the sandbox flag when setting options from a modeline.
2025-09-24 03:44:06 -04:00 · 2018-11-20 04:25:21 +01:00
parent 48d23bb4de
commit 5958f95a40
2 changed files with 7 additions and 0 deletions
--- a/src/buffer.c
+++ b/src/buffer.c
@@ -5522,7 +5522,12 @@ chk_modeline(
 		current_sctx.sc_seq = 0;
 		current_sctx.sc_lnum = 0;
 #endif
+		// Make sure no risky things are executed as a side effect.
+		++sandbox;
+
 		retval = do_set(s, OPT_MODELINE | OPT_LOCAL | flags);
+
+		--sandbox;
 #ifdef FEAT_EVAL
 		current_sctx = save_current_sctx;
 #endif
--- a/src/version.c
+++ b/src/version.c
@@ -792,6 +792,8 @@ static char *(features[]) =

 static int included_patches[] =
 {   /* Add new patch number below this line */
+/**/
+    538,
 /**/
    537,
 /**/