IntenseFinance/neovim
3
0
Fork 0
mirror of https://github.com/neovim/neovim.git synced 2025-02-25 18:55:25 -06:00
Code Issues Packages Projects Releases Wiki Activity

vim-patch:8.1.1143: may pass weird strings to file name expansion

Browse Source 
Problem:    May pass weird strings to file name expansion.
Solution:   Check for matching characters.  Disallow control characters.
8f130eda47
This commit is contained in:
Jan Edmund Lazo 2020-01-26 08:17:08 -05:00
parent 6f073ccbf4
commit 08c5a874ab
No known key found for this signature in database
GPG Key ID: 64915E6E9F735B15
6 changed files with 53 additions and 10 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

33
src/nvim/option.c
View File

@ -2509,18 +2509,35 @@ static char *set_string_option(const int opt_idx, const char *const value,
return r; return r;
} }
/// Return true if "val" is a valid 'filetype' name. /// Return true if "val" is a valid name: only consists of alphanumeric ASCII
/// Also used for 'syntax' and 'keymap'. /// characters or characters in "allowed".
static bool valid_filetype(char_u *val) static bool valid_name(const char_u *val, const char *allowed)
FUNC_ATTR_NONNULL_ALL FUNC_ATTR_PURE FUNC_ATTR_WARN_UNUSED_RESULT
{ {
for (char_u *s = val; *s != NUL; s++) { for (const char_u *s = val; *s != NUL; s++) {
if (!ASCII_ISALNUM(*s) && vim_strchr((char_u *)".-_", *s) == NULL) { if (!ASCII_ISALNUM(*s)
&& vim_strchr((const char_u *)allowed, *s) == NULL) {
return false; return false;
} }
} }
return true; return true;
} }
/// Return true if "val" is a valid 'filetype' name.
/// Also used for 'syntax' and 'keymap'.
static bool valid_filetype(const char_u *val)
FUNC_ATTR_NONNULL_ALL FUNC_ATTR_PURE FUNC_ATTR_WARN_UNUSED_RESULT
{
return valid_name(val, ".-_");
}
/// Return true if "val" is a valid 'spellang' value.
bool valid_spellang(const char_u *val)
FUNC_ATTR_NONNULL_ALL FUNC_ATTR_PURE FUNC_ATTR_WARN_UNUSED_RESULT
{
return valid_name(val, ".-_,");
}
/// Handle string options that need some action to perform when changed. /// Handle string options that need some action to perform when changed.
/// Returns NULL for success, or an error message for an error. /// Returns NULL for success, or an error message for an error.
static char_u * static char_u *
@ -3032,7 +3049,11 @@ ambw_end:
|| varp == &(curwin->w_s->b_p_spf)) { || varp == &(curwin->w_s->b_p_spf)) {
// When 'spelllang' or 'spellfile' is set and there is a window for this // When 'spelllang' or 'spellfile' is set and there is a window for this
// buffer in which 'spell' is set load the wordlists. // buffer in which 'spell' is set load the wordlists.
errmsg = did_set_spell_option(varp == &(curwin->w_s->b_p_spf)); if (!valid_spellang(*varp)) {
errmsg = e_invarg;
} else {
errmsg = did_set_spell_option(varp == &(curwin->w_s->b_p_spf));
}
} else if (varp == &(curwin->w_s->b_p_spc)) { } else if (varp == &(curwin->w_s->b_p_spc)) {
// When 'spellcapcheck' is set compile the regexp program. // When 'spellcapcheck' is set compile the regexp program.
errmsg = compile_cap_prog(curwin->w_s); errmsg = compile_cap_prog(curwin->w_s);

16
src/nvim/path.c
View File

@ -1120,10 +1120,22 @@ static bool has_env_var(char_u *p)
static bool has_special_wildchar(char_u *p) static bool has_special_wildchar(char_u *p)
{ {
for (; *p; MB_PTR_ADV(p)) { for (; *p; MB_PTR_ADV(p)) {
// Allow for escaping // Disallow line break characters.
if (*p == '\\' && p[1] != NUL) { if (*p == '\r' || *p == '\n') {
break;
}
// Allow for escaping.
if (*p == '\\' && p[1] != NUL && p[1] != '\r' && p[1] != '\n') {
p++; p++;
} else if (vim_strchr((char_u *)SPECIAL_WILDCHAR, *p) != NULL) { } else if (vim_strchr((char_u *)SPECIAL_WILDCHAR, *p) != NULL) {
// A { must be followed by a matching }.
if (*p == '{' && vim_strchr(p, '}') == NULL) {
continue;
}
// A quote and backtick must be followed by another one.
if ((*p == '`' || *p == '\'') && vim_strchr(p, *p) == NULL) {
continue;
}
return true; return true;
} }
} }

4
src/nvim/spell.c
View File

@ -2008,6 +2008,10 @@ char_u *did_set_spelllang(win_T *wp)
region = NULL; region = NULL;
len = (int)STRLEN(lang); len = (int)STRLEN(lang);
if (!valid_spellang(lang)) {
continue;
}
if (STRCMP(lang, "cjk") == 0) { if (STRCMP(lang, "cjk") == 0) {
wp->w_s->b_cjk = 1; wp->w_s->b_cjk = 1;
continue; continue;

2
src/nvim/testdir/test_escaped_glob.vim
View File

@ -17,7 +17,7 @@ function Test_glob()
" Setting 'shell' to an invalid name causes a memory leak. " Setting 'shell' to an invalid name causes a memory leak.
sandbox call assert_equal("", glob('Xxx\{')) sandbox call assert_equal("", glob('Xxx\{'))
sandbox call assert_equal("", glob('Xxx\$')) sandbox call assert_equal("", glob('Xxx\$'))
w! Xxx{ w! Xxx\{
" } to fix highlighting " } to fix highlighting
w! Xxx\$ w! Xxx\$
sandbox call assert_equal("Xxx{", glob('Xxx\{')) sandbox call assert_equal("Xxx{", glob('Xxx\{'))

6
src/nvim/testdir/test_spell.vim
View File

@ -151,6 +151,12 @@ func Test_spellinfo()
set nospell spelllang=en set nospell spelllang=en
call assert_fails('spellinfo', 'E756:') call assert_fails('spellinfo', 'E756:')
call assert_fails('set spelllang=foo/bar', 'E474:')
call assert_fails('set spelllang=foo\ bar', 'E474:')
call assert_fails("set spelllang=foo\\\nbar", 'E474:')
call assert_fails("set spelllang=foo\\\rbar", 'E474:')
call assert_fails("set spelllang=foo+bar", 'E474:')
set enc& spell& spelllang& set enc& spell& spelllang&
bwipe bwipe
endfunc endfunc

2
test/functional/legacy/097_glob_path_spec.lua
View File

@ -52,7 +52,7 @@ describe('glob() and globpath()', function()
command([[$put =glob('Xxx\{')]]) command([[$put =glob('Xxx\{')]])
command([[$put =glob('Xxx\$')]]) command([[$put =glob('Xxx\$')]])
command('silent w! Xxx{') command('silent w! Xxx\\{')
command([[w! Xxx\$]]) command([[w! Xxx\$]])
command([[$put =glob('Xxx\{')]]) command([[$put =glob('Xxx\{')]])
command([[$put =glob('Xxx\$')]]) command([[$put =glob('Xxx\$')]])