vim-patch:8.1.1143: may pass weird strings to file name expansion

Problem: May pass weird strings to file name expansion. Solution: Check for matching characters. Disallow control characters. 8f130eda47
2025-02-25 18:55:25 -06:00 · 2020-01-26 08:17:08 -05:00 · 2020-01-26 08:17:08 -05:00 · 08c5a874ab
commit 08c5a874ab
parent 6f073ccbf4
6 changed files with 53 additions and 10 deletions
--- a/src/nvim/option.c
+++ b/src/nvim/option.c
@ -2509,18 +2509,35 @@ static char *set_string_option(const int opt_idx, const char *const value,
  return r;
 }

-/// Return true if "val" is a valid 'filetype' name.
-/// Also used for 'syntax' and 'keymap'.
-static bool valid_filetype(char_u *val)
+/// Return true if "val" is a valid name: only consists of alphanumeric ASCII
+/// characters or characters in "allowed".
+static bool valid_name(const char_u *val, const char *allowed)
+  FUNC_ATTR_NONNULL_ALL FUNC_ATTR_PURE FUNC_ATTR_WARN_UNUSED_RESULT
 {
-  for (char_u *s = val; *s != NUL; s++) {
-    if (!ASCII_ISALNUM(*s) && vim_strchr((char_u *)".-_", *s) == NULL) {
+  for (const char_u *s = val; *s != NUL; s++) {
+    if (!ASCII_ISALNUM(*s)
+        && vim_strchr((const char_u *)allowed, *s) == NULL) {
      return false;
    }
  }
  return true;
 }

+/// Return true if "val" is a valid 'filetype' name.
+/// Also used for 'syntax' and 'keymap'.
+static bool valid_filetype(const char_u *val)
+  FUNC_ATTR_NONNULL_ALL FUNC_ATTR_PURE FUNC_ATTR_WARN_UNUSED_RESULT
+{
+  return valid_name(val, ".-_");
+}
+
+/// Return true if "val" is a valid 'spellang' value.
+bool valid_spellang(const char_u *val)
+  FUNC_ATTR_NONNULL_ALL FUNC_ATTR_PURE FUNC_ATTR_WARN_UNUSED_RESULT
+{
+  return valid_name(val, ".-_,");
+}
+
 /// Handle string options that need some action to perform when changed.
 /// Returns NULL for success, or an error message for an error.
 static char_u *
@ -3032,7 +3049,11 @@ ambw_end:
             || varp == &(curwin->w_s->b_p_spf)) {
    // When 'spelllang' or 'spellfile' is set and there is a window for this
    // buffer in which 'spell' is set load the wordlists.
+    if (!valid_spellang(*varp)) {
+      errmsg = e_invarg;
+    } else {
      errmsg = did_set_spell_option(varp == &(curwin->w_s->b_p_spf));
+    }
  } else if (varp == &(curwin->w_s->b_p_spc)) {
    // When 'spellcapcheck' is set compile the regexp program.
    errmsg = compile_cap_prog(curwin->w_s);
--- a/src/nvim/path.c
+++ b/src/nvim/path.c
@ -1120,10 +1120,22 @@ static bool has_env_var(char_u *p)
 static bool has_special_wildchar(char_u *p)
 {
  for (; *p; MB_PTR_ADV(p)) {
-    // Allow for escaping
-    if (*p == '\\' && p[1] != NUL) {
+    // Disallow line break characters.
+    if (*p == '\r' || *p == '\n') {
+      break;
+    }
+    // Allow for escaping.
+    if (*p == '\\' && p[1] != NUL && p[1] != '\r' && p[1] != '\n') {
      p++;
    } else if (vim_strchr((char_u *)SPECIAL_WILDCHAR, *p) != NULL) {
+      // A { must be followed by a matching }.
+      if (*p == '{' && vim_strchr(p, '}') == NULL) {
+        continue;
+      }
+      // A quote and backtick must be followed by another one.
+      if ((*p == '`' || *p == '\'') && vim_strchr(p, *p) == NULL) {
+        continue;
+      }
      return true;
    }
  }
--- a/src/nvim/spell.c
+++ b/src/nvim/spell.c
@ -2008,6 +2008,10 @@ char_u *did_set_spelllang(win_T *wp)
    region = NULL;
    len = (int)STRLEN(lang);

+    if (!valid_spellang(lang)) {
+      continue;
+    }
+
    if (STRCMP(lang, "cjk") == 0) {
      wp->w_s->b_cjk = 1;
      continue;
--- a/src/nvim/testdir/test_escaped_glob.vim
+++ b/src/nvim/testdir/test_escaped_glob.vim
@ -17,7 +17,7 @@ function Test_glob()
  " Setting 'shell' to an invalid name causes a memory leak.
  sandbox call assert_equal("", glob('Xxx\{'))
  sandbox call assert_equal("", glob('Xxx\$'))
-  w! Xxx{
+  w! Xxx\{
  " } to fix highlighting
  w! Xxx\$
  sandbox call assert_equal("Xxx{", glob('Xxx\{'))
--- a/src/nvim/testdir/test_spell.vim
+++ b/src/nvim/testdir/test_spell.vim
@ -151,6 +151,12 @@ func Test_spellinfo()
  set nospell spelllang=en
  call assert_fails('spellinfo', 'E756:')

+  call assert_fails('set spelllang=foo/bar', 'E474:')
+  call assert_fails('set spelllang=foo\ bar', 'E474:')
+  call assert_fails("set spelllang=foo\\\nbar", 'E474:')
+  call assert_fails("set spelllang=foo\\\rbar", 'E474:')
+  call assert_fails("set spelllang=foo+bar", 'E474:')
+
  set enc& spell& spelllang&
  bwipe
 endfunc
--- a/test/functional/legacy/097_glob_path_spec.lua
+++ b/test/functional/legacy/097_glob_path_spec.lua
@ -52,7 +52,7 @@ describe('glob() and globpath()', function()
      command([[$put =glob('Xxx\{')]])
      command([[$put =glob('Xxx\$')]])

-      command('silent w! Xxx{')
+      command('silent w! Xxx\\{')
      command([[w! Xxx\$]])
      command([[$put =glob('Xxx\{')]])
      command([[$put =glob('Xxx\$')]])