]>
Commit | Line | Data |
---|---|---|
468bf62c AM |
1 | To: vim-dev@vim.org |
2 | Subject: patch 7.0.234 | |
3 | Fcc: outbox | |
4 | From: Bram Moolenaar <Bram@moolenaar.net> | |
5 | Mime-Version: 1.0 | |
6 | Content-Type: text/plain; charset=ISO-8859-1 | |
7 | Content-Transfer-Encoding: 8bit | |
8 | ------------ | |
9 | ||
10 | Patch 7.0.234 | |
11 | Problem: It's possible to use feedkeys() from a modeline. That is a | |
12 | security issue, can be used for a trojan horse. | |
13 | Solution: Disallow using feedkeys() in the sandbox. | |
14 | Files: src/eval.c | |
15 | ||
16 | ||
17 | *** ../vim-7.0.233/src/eval.c Thu Apr 26 17:08:16 2007 | |
18 | --- src/eval.c Fri Apr 27 21:48:18 2007 | |
19 | *************** | |
20 | *** 9078,9083 **** | |
21 | --- 9078,9089 ---- | |
22 | int typed = FALSE; | |
23 | char_u *keys_esc; | |
24 | ||
25 | + /* This is not allowed in the sandbox. If the commands would still be | |
26 | + * executed in the sandbox it would be OK, but it probably happens later, | |
27 | + * when "sandbox" is no longer set. */ | |
28 | + if (check_secure()) | |
29 | + return; | |
30 | + | |
31 | rettv->vval.v_number = 0; | |
32 | keys = get_tv_string(&argvars[0]); | |
33 | if (*keys != NUL) | |
34 | *** ../vim-7.0.233/src/version.c Thu Apr 26 18:42:17 2007 | |
35 | --- src/version.c Fri Apr 27 22:13:23 2007 | |
36 | *************** | |
37 | *** 668,669 **** | |
38 | --- 668,671 ---- | |
39 | { /* Add new patch number below this line */ | |
40 | + /**/ | |
41 | + 234, | |
42 | /**/ | |
43 | ||
44 | -- | |
45 | "Making it up? Why should I want to make anything up? Life's bad enough | |
46 | as it is without wanting to invent any more of it." | |
47 | -- Marvin, the Paranoid Android in Douglas Adams' | |
48 | "The Hitchhiker's Guide to the Galaxy" | |
49 | ||
50 | /// Bram Moolenaar -- Bram@Moolenaar.net -- http://www.Moolenaar.net \\\ | |
51 | /// sponsor Vim, vote for features -- http://www.Vim.org/sponsor/ \\\ | |
52 | \\\ download, build and distribute -- http://www.A-A-P.org /// | |
53 | \\\ help me help AIDS victims -- http://ICCF-Holland.org /// |