]> git.ipfire.org Git - thirdparty/vim.git/commitdiff
patch 9.2.0736: potential command execution in PHP omni-completion v9.2.0736
authorHirohito Higashi <h.east.727@gmail.com>
Fri, 26 Jun 2026 11:07:01 +0000 (20:07 +0900)
committerChristian Brabandt <cb@256bit.org>
Sat, 27 Jun 2026 07:51:09 +0000 (07:51 +0000)
Problem:  With PHP omni-completion, a crafted file can potentially
          execute arbitrary commands when completing a class member.
Solution: Quote the class name before inserting it into the search()
          pattern run via win_execute().

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Signed-off-by: Hirohito Higashi <h.east.727@gmail.com>
Signed-off-by: Christian Brabandt <cb@256bit.org>
runtime/autoload/phpcomplete.vim
src/testdir/Make_all.mak
src/testdir/test_plugin_phpcomplete.vim [new file with mode: 0644]
src/version.c

index 5b4263ae458f71753af79e6d5fb67d937020607b..93f7d8b450f904eb282476e04b784d162bc42297 100644 (file)
@@ -2082,7 +2082,8 @@ function! phpcomplete#GetClassContentsStructure(file_path, file_lines, class_nam
        let result = []
        let popup_id = popup_create(a:file_lines, {'hidden': v:true})
 
-       call win_execute(popup_id, 'call search(''\c\(class\|interface\|trait\)\_s\+'.a:class_name.'\(\>\|$\)'')')
+       call win_execute(popup_id, 'call search('
+               \ . string('\c\(class\|interface\|trait\)\_s\+' . a:class_name . '\(\>\|$\)') . ')')
        call win_execute(popup_id, "let cfline = line('.')")
        call win_execute(popup_id, "call search('{')")
        call win_execute(popup_id, "let endline = line('.')")
index dd0708c5ca66e6112e9d74f42df674f8d9677788..533497cba05215e428e0fc55b895a5644f5c447f 100644 (file)
@@ -252,6 +252,7 @@ NEW_TESTS = \
        test_plugin_matchit \
        test_plugin_matchparen \
        test_plugin_netrw \
+       test_plugin_phpcomplete \
        test_plugin_python3complete \
        test_plugin_osc52 \
        test_plugin_tar \
@@ -533,6 +534,7 @@ NEW_TESTS_RES = \
        test_plugin_matchit.res \
        test_plugin_matchparen.res \
        test_plugin_netrw.res \
+       test_plugin_phpcomplete.res \
        test_plugin_python3complete.res \
        test_plugin_osc52.res \
        test_plugin_tar.res \
diff --git a/src/testdir/test_plugin_phpcomplete.vim b/src/testdir/test_plugin_phpcomplete.vim
new file mode 100644 (file)
index 0000000..7f66be4
--- /dev/null
@@ -0,0 +1,35 @@
+" Tests for the PHP omni-completion plugin (runtime/autoload/phpcomplete.vim).
+
+" A buffer class name is interpolated into a search() pattern run via
+" win_execute().  Without escaping, "'" closes the string and "|" starts a new
+" Ex command, so the name runs as an Ex command during completion.
+func Test_phpcomplete_no_exec_via_class_name()
+  unlet! g:phpcomplete_injected
+  let lines = ['<?php', 'class x {}', '']
+  let payload = "x')|let g:phpcomplete_injected = 1|call search('"
+
+  try
+    call phpcomplete#GetClassContentsStructure('x.php', lines, payload)
+  catch
+  endtry
+
+  call assert_false(exists('g:phpcomplete_injected'),
+        \ 'class name was executed as an Ex command during completion')
+
+  unlet! g:phpcomplete_injected
+endfunc
+
+func Test_phpcomplete_class_lookup_still_works()
+  let lines = ['<?php', 'class Foo {', '    public $bar;', '}', '']
+  let result = phpcomplete#GetClassContentsStructure('Foo.php', lines, 'Foo')
+
+  call assert_equal(type([]), type(result),
+        \ 'GetClassContentsStructure did not return a list')
+  call assert_true(len(result) > 0, 'no class structure returned')
+  call assert_match('class Foo', result[0].content,
+        \ 'class body missing from returned content')
+  call assert_match('bar', result[0].content,
+        \ 'class member missing from returned content')
+endfunc
+
+" vim: shiftwidth=2 sts=2 expandtab
index 5a976ac5775f8c5ad1113b93f759817eb9d128b8..b96b4c5169ab81e2ed4ae5590bbdf9e148c97eb7 100644 (file)
@@ -759,6 +759,8 @@ static char *(features[]) =
 
 static int included_patches[] =
 {   /* Add new patch number below this line */
+/**/
+    736,
 /**/
     735,
 /**/