This was wrongly included as of patch 1c6734291295bf8aa39577840b40bb
because apparently I messed up the use of git apply :/
Signed-off-by: Christian Brabandt <cb@256bit.org>
This change does the following 3 things:
1) non need to quote the file to be extracted
The zipfile plugin used to quote and fnameescape() the path to the
file to be extracted. However testing with unzip showed, that while this
works on Linux on Windows you shall not escape the blanks in filenames.
As long as the pathname is properly quoted, this words on Linux and
Windows.
2) reset shellslash (MS-Windows only)
When shellslash is set, filenames to the zip archive will be forward
quoted. However since the filename is eventually handed over to the
unzip command, we need to make sure to use native paths so that the
command will understand what file to open. Therefore, if shellslash is
set (and the shell is cmd.exe), replace any forward slashes by the
expected backslashes
3) style:
Use tabs for the Header, remove a few comments in the s:Escape() and
zip#read() functions
fixes: #14998
Signed-off-by: Christian Brabandt <cb@256bit.org>
Follow up to 816fbcc26 (patch 9.0.1833: [security] runtime file fixes,
2023-08-31) and f7ac0ef50 (runtime: don't execute external commands when
loading ftplugins, 2023-09-06).
This puts the logic for safe executable checks in a single place, by introducing
a central vim library, so all filetypes benefit from consistency.
Notable changes:
- dist#vim because the (autoload) namespace for a new runtime support
library. Supporting functions should get documentation. It might make
life easier for NeoVim devs to make the documentation a new file
rather than cram it into existing files, though we may want
cross-references to it somewhere…
- The gzip and zip plugins need to be opted into by enabling execution
of those programs (or the global plugin_exec). This needs
documentation or discussion.
- This fixes a bug in the zig plugin: code setting s:tmp_cwd was removed
in f7ac0ef50 (runtime: don't execute external commands when loading
ftplugins, 2023-09-06), but the variable was still referenced. Since
the new function takes care of that automatically, the variable is no
longer needed.
Signed-off-by: D. Ben Knoble <ben.knoble+github@gmail.com>
Signed-off-by: Christian Brabandt <cb@256bit.org>
In case the current directory is present as valid $PATH entry, it is OK
to call the program from it, even if vim curdir is in that same
directory.
(Without that patch, for instance, you will not be able to open .zip
files while your current directory is /bin)
closes: #13027
Signed-off-by: Christian Brabandt <cb@256bit.org>
Problem: runtime files may execute code in current dir
Solution: only execute, if not run from current directory
The perl, zig and ruby filetype plugins and the zip and gzip autoload
plugins may try to load malicious executable files from the current
working directory. This is especially a problem on windows, where the
current directory is implicitly in your $PATH and windows may even run a
file with the extension `.bat` because of $PATHEXT.
So make sure that we are not trying to execute a file from the current
directory. If this would be the case, error out (for the zip and gzip)
plugins or silently do not run those commands (for the ftplugins).
This assumes, that only the current working directory is bad. For all
other directories, it is assumed that those directories were
intentionally set to the $PATH by the user.
Signed-off-by: Christian Brabandt <cb@256bit.org>
