aniani/vim
0
0
Fork 1
mirror of https://github.com/vim/vim.git synced 2025-09-27 04:14:06 -04:00
Code Activity

patch 8.1.1143: may pass weird strings to file name expansion

Browse Source 
Problem:    May pass weird strings to file name expansion.
Solution:   Check for matching characters.  Disallow control characters.
This commit is contained in:
Bram Moolenaar
2019-04-10 22:15:19 +02:00
parent 3fb01a53c6
commit 8f130eda47
7 changed files with 57 additions and 11 deletions
Download Patch File Download Diff File Expand all files Collapse all files

15
src/misc1.c
View File

@@ -6170,11 +6170,22 @@ has_special_wildchar(char_u *p)
{ {
for ( ; *p; MB_PTR_ADV(p)) for ( ; *p; MB_PTR_ADV(p))
{ {
/* Allow for escaping. */ // Disallow line break characters.
if (*p == '\\' && p[1] != NUL) if (*p == '\r' || *p == '\n')
break;
// Allow for escaping.
if (*p == '\\' && p[1] != NUL && p[1] != '\r' && p[1] != '\n')
++p; ++p;
else if (vim_strchr((char_u *)SPECIAL_WILDCHAR, *p) != NULL) else if (vim_strchr((char_u *)SPECIAL_WILDCHAR, *p) != NULL)
{
// A { must be followed by a matching }.
if (*p == '{' && vim_strchr(p, '}') == NULL)
continue;
// A quote and backtick must be followed by another one.
if ((*p == '`' || *p == '\'') && vim_strchr(p, *p) == NULL)
continue;
return TRUE; return TRUE;
}
} }
return FALSE; return FALSE;
} }

37
src/option.c
View File

@@ -6005,6 +6005,21 @@ set_string_option(
return r; return r;
} }
/*
* Return TRUE if "val" is a valid name: only consists of alphanumeric ASCII
* characters or characters in "allowed".
*/
static int
valid_name(char_u *val, char *allowed)
{
char_u *s;
for (s = val; *s != NUL; ++s)
if (!ASCII_ISALNUM(*s) && vim_strchr((char_u *)allowed, *s) == NULL)
return FALSE;
return TRUE;
}
/* /*
* Return TRUE if "val" is a valid 'filetype' name. * Return TRUE if "val" is a valid 'filetype' name.
* Also used for 'syntax' and 'keymap'. * Also used for 'syntax' and 'keymap'.
@@ -6012,12 +6027,16 @@ set_string_option(
static int static int
valid_filetype(char_u *val) valid_filetype(char_u *val)
{ {
char_u *s; return valid_name(val, ".-_");
}
for (s = val; *s != NUL; ++s) /*
if (!ASCII_ISALNUM(*s) && vim_strchr((char_u *)".-_", *s) == NULL) * Return TRUE if "val" is a valid 'spellang' value.
return FALSE; */
return TRUE; int
valid_spellang(char_u *val)
{
return valid_name(val, ".-_,");
} }
/* /*
@@ -7082,7 +7101,10 @@ did_set_string_option(
else if (varp == &(curwin->w_s->b_p_spl) else if (varp == &(curwin->w_s->b_p_spl)
|| varp == &(curwin->w_s->b_p_spf)) || varp == &(curwin->w_s->b_p_spf))
{ {
errmsg = did_set_spell_option(varp == &(curwin->w_s->b_p_spf)); if (!valid_spellang(*varp))
errmsg = e_invarg;
else
errmsg = did_set_spell_option(varp == &(curwin->w_s->b_p_spf));
} }
/* When 'spellcapcheck' is set compile the regexp program. */ /* When 'spellcapcheck' is set compile the regexp program. */
else if (varp == &(curwin->w_s->b_p_spc)) else if (varp == &(curwin->w_s->b_p_spc))
@@ -7737,7 +7759,8 @@ did_set_string_option(
break; break;
if (p > q) if (p > q)
{ {
vim_snprintf((char *)fname, 200, "spell/%.*s.vim", (int)(p - q), q); vim_snprintf((char *)fname, 200, "spell/%.*s.vim",
(int)(p - q), q);
source_runtime(fname, DIP_ALL); source_runtime(fname, DIP_ALL);
} }
} }

1
src/proto/option.pro
View File

@@ -21,6 +21,7 @@ int get_term_opt_idx(char_u **p);
int set_term_option_alloced(char_u **p); int set_term_option_alloced(char_u **p);
int was_set_insecurely(char_u *opt, int opt_flags); int was_set_insecurely(char_u *opt, int opt_flags);
void set_string_option_direct(char_u *name, int opt_idx, char_u *val, int opt_flags, int set_sid); void set_string_option_direct(char_u *name, int opt_idx, char_u *val, int opt_flags, int set_sid);
int valid_spellang(char_u *val);
char *check_colorcolumn(win_T *wp); char *check_colorcolumn(win_T *wp);
char *check_stl_option(char_u *s); char *check_stl_option(char_u *s);
void set_term_option_sctx_idx(char *name, int opt_idx); void set_term_option_sctx_idx(char *name, int opt_idx);

5
src/spell.c
View File

@@ -2308,11 +2308,14 @@ did_set_spelllang(win_T *wp)
/* Loop over comma separated language names. */ /* Loop over comma separated language names. */
for (splp = spl_copy; *splp != NUL; ) for (splp = spl_copy; *splp != NUL; )
{ {
/* Get one language name. */ // Get one language name.
copy_option_part(&splp, lang, MAXWLEN, ","); copy_option_part(&splp, lang, MAXWLEN, ",");
region = NULL; region = NULL;
len = (int)STRLEN(lang); len = (int)STRLEN(lang);
if (!valid_spellang(lang))
continue;
if (STRCMP(lang, "cjk") == 0) if (STRCMP(lang, "cjk") == 0)
{ {
wp->w_s->b_cjk = 1; wp->w_s->b_cjk = 1;

2
src/testdir/test_escaped_glob.vim
View File

@@ -17,7 +17,7 @@ function Test_glob()
" Setting 'shell' to an invalid name causes a memory leak. " Setting 'shell' to an invalid name causes a memory leak.
sandbox call assert_equal("", glob('Xxx\{')) sandbox call assert_equal("", glob('Xxx\{'))
sandbox call assert_equal("", glob('Xxx\$')) sandbox call assert_equal("", glob('Xxx\$'))
w! Xxx{ w! Xxx\{
w! Xxx\$ w! Xxx\$
sandbox call assert_equal("Xxx{", glob('Xxx\{')) sandbox call assert_equal("Xxx{", glob('Xxx\{'))
sandbox call assert_equal("Xxx$", glob('Xxx\$')) sandbox call assert_equal("Xxx$", glob('Xxx\$'))

6
src/testdir/test_spell.vim
View File

@@ -149,6 +149,12 @@ func Test_spellinfo()
set nospell spelllang=en set nospell spelllang=en
call assert_fails('spellinfo', 'E756:') call assert_fails('spellinfo', 'E756:')
call assert_fails('set spelllang=foo/bar', 'E474:')
call assert_fails('set spelllang=foo\ bar', 'E474:')
call assert_fails("set spelllang=foo\\\nbar", 'E474:')
call assert_fails("set spelllang=foo\\\rbar", 'E474:')
call assert_fails("set spelllang=foo+bar", 'E474:')
set enc& spell& spelllang& set enc& spell& spelllang&
bwipe bwipe
endfunc endfunc

2
src/version.c
View File

@@ -771,6 +771,8 @@ static char *(features[]) =
static int included_patches[] = static int included_patches[] =
{ /* Add new patch number below this line */ { /* Add new patch number below this line */
/**/
1143,
/**/ /**/
1142, 1142,
/**/ /**/