From: Hirohito Higashi Date: Fri, 26 Jun 2026 11:07:01 +0000 (+0900) Subject: patch 9.2.0736: potential command execution in PHP omni-completion X-Git-Tag: v9.2.0736^0 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=43afc581a37a35762dd0ef292f038b9dc5680a24;p=thirdparty%2Fvim.git patch 9.2.0736: potential command execution in PHP omni-completion Problem: With PHP omni-completion, a crafted file can potentially execute arbitrary commands when completing a class member. Solution: Quote the class name before inserting it into the search() pattern run via win_execute(). Co-Authored-By: Claude Opus 4.8 (1M context) Signed-off-by: Hirohito Higashi Signed-off-by: Christian Brabandt --- diff --git a/runtime/autoload/phpcomplete.vim b/runtime/autoload/phpcomplete.vim index 5b4263ae45..93f7d8b450 100644 --- a/runtime/autoload/phpcomplete.vim +++ b/runtime/autoload/phpcomplete.vim @@ -2082,7 +2082,8 @@ function! phpcomplete#GetClassContentsStructure(file_path, file_lines, class_nam let result = [] let popup_id = popup_create(a:file_lines, {'hidden': v:true}) - call win_execute(popup_id, 'call search(''\c\(class\|interface\|trait\)\_s\+'.a:class_name.'\(\>\|$\)'')') + call win_execute(popup_id, 'call search(' + \ . string('\c\(class\|interface\|trait\)\_s\+' . a:class_name . '\(\>\|$\)') . ')') call win_execute(popup_id, "let cfline = line('.')") call win_execute(popup_id, "call search('{')") call win_execute(popup_id, "let endline = line('.')") diff --git a/src/testdir/Make_all.mak b/src/testdir/Make_all.mak index dd0708c5ca..533497cba0 100644 --- a/src/testdir/Make_all.mak +++ b/src/testdir/Make_all.mak @@ -252,6 +252,7 @@ NEW_TESTS = \ test_plugin_matchit \ test_plugin_matchparen \ test_plugin_netrw \ + test_plugin_phpcomplete \ test_plugin_python3complete \ test_plugin_osc52 \ test_plugin_tar \ @@ -533,6 +534,7 @@ NEW_TESTS_RES = \ test_plugin_matchit.res \ test_plugin_matchparen.res \ test_plugin_netrw.res \ + test_plugin_phpcomplete.res \ test_plugin_python3complete.res \ test_plugin_osc52.res \ test_plugin_tar.res \ diff --git a/src/testdir/test_plugin_phpcomplete.vim b/src/testdir/test_plugin_phpcomplete.vim new file mode 100644 index 0000000000..7f66be47b7 --- /dev/null +++ b/src/testdir/test_plugin_phpcomplete.vim @@ -0,0 +1,35 @@ +" Tests for the PHP omni-completion plugin (runtime/autoload/phpcomplete.vim). + +" A buffer class name is interpolated into a search() pattern run via +" win_execute(). Without escaping, "'" closes the string and "|" starts a new +" Ex command, so the name runs as an Ex command during completion. +func Test_phpcomplete_no_exec_via_class_name() + unlet! g:phpcomplete_injected + let lines = [' 0, 'no class structure returned') + call assert_match('class Foo', result[0].content, + \ 'class body missing from returned content') + call assert_match('bar', result[0].content, + \ 'class member missing from returned content') +endfunc + +" vim: shiftwidth=2 sts=2 expandtab diff --git a/src/version.c b/src/version.c index 5a976ac577..b96b4c5169 100644 --- a/src/version.c +++ b/src/version.c @@ -759,6 +759,8 @@ static char *(features[]) = static int included_patches[] = { /* Add new patch number below this line */ +/**/ + 736, /**/ 735, /**/