From: pyllyukko Date: Tue, 17 Mar 2026 20:15:44 +0000 (+0000) Subject: patch 9.2.0188: Can set environment variables in restricted mode X-Git-Tag: v9.2.0188^0 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=15a96a04ad283eee883b5629208d1e73d37a1ca4;p=thirdparty%2Fvim.git patch 9.2.0188: Can set environment variables in restricted mode Problem: Can set environment variables in restricted mode Solution: Disallow setting environment variables using legacy Vim script (pyllyukko). related: #13394 related: #19705 closes: #19704 Signed-off-by: pyllyukko Signed-off-by: Christian Brabandt --- diff --git a/runtime/doc/starting.txt b/runtime/doc/starting.txt index 8aa6241d53..46a47b7e2b 100644 --- a/runtime/doc/starting.txt +++ b/runtime/doc/starting.txt @@ -1,4 +1,4 @@ -*starting.txt* For Vim version 9.2. Last change: 2026 Feb 25 +*starting.txt* For Vim version 9.2. Last change: 2026 Mar 17 VIM REFERENCE MANUAL by Bram Moolenaar @@ -252,7 +252,8 @@ a slash. Thus "-R" means recovery and "-/R" readonly. ":sh", filtering, the |system()| function, backtick expansion and libcall(). Also disallowed are |delete()|, |rename()|, |mkdir()|, - |job_start()|, |setenv()| etc. + |job_start()|, |setenv()| and setting environment variables, + etc. Interfaces, such as Python, Ruby and Lua, are also disabled, since they could be used to execute shell commands. Perl uses the Safe module. diff --git a/runtime/doc/version9.txt b/runtime/doc/version9.txt index 81b4f7d8fd..2106a1e407 100644 --- a/runtime/doc/version9.txt +++ b/runtime/doc/version9.txt @@ -1,4 +1,4 @@ -*version9.txt* For Vim version 9.2. Last change: 2026 Mar 16 +*version9.txt* For Vim version 9.2. Last change: 2026 Mar 17 VIM REFERENCE MANUAL by Bram Moolenaar @@ -52595,8 +52595,10 @@ between them is small (5 bytes or less) and contains only non-word characters. This prevents fragmented highlighting when only whitespace or punctuation separates changes. -Using external diff mode is no longer allowed when Vim is running in -|restricted-mode|. +Restricted mode~ +--------------- +Using external diff mode or setting environment variables is no longer allowed +when Vim is running in |restricted-mode|. Other ~ ----- diff --git a/src/evalvars.c b/src/evalvars.c index 778e7152c6..86bbf1860d 100644 --- a/src/evalvars.c +++ b/src/evalvars.c @@ -1712,7 +1712,7 @@ ex_let_env( else if (endchars != NULL && vim_strchr(endchars, *skipwhite(arg)) == NULL) emsg(_(e_unexpected_characters_in_let)); - else if (!check_secure()) + else if (!check_secure() && !check_restricted()) { char_u *tofree = NULL; int c1 = name[len]; diff --git a/src/testdir/test_restricted.vim b/src/testdir/test_restricted.vim index 71a0515e90..2d8f483c22 100644 --- a/src/testdir/test_restricted.vim +++ b/src/testdir/test_restricted.vim @@ -138,7 +138,7 @@ func Test_restricted_diff() call delete('Xresult') endfunc -func Test_restricted_vim9_env() +func Test_restricted_env() let lines =<< trim END vim9script def SetEnv() @@ -158,6 +158,22 @@ func Test_restricted_vim9_env() call assert_equal(['not-allowed'], readfile('XResult_env')) endif call delete('XResult_env') + + let lines =<< trim END + try + let $ENV_TEST = 'val' + let result = 'okay' + catch /^Vim\%((\S\+)\)\=:E145:/ + let result = 'not-allowed' + endtry + call writefile([result], 'XResult_env') + qa! + END + call writefile(lines, 'Xrestricted_legacy', 'D') + if RunVim([], [], '-Z --clean -S Xrestricted_legacy') + call assert_equal(['not-allowed'], readfile('XResult_env')) + endif + call delete('XResult_env') endfunc " vim: shiftwidth=2 sts=2 expandtab diff --git a/src/version.c b/src/version.c index 38adaa4f2f..295f8ed0bb 100644 --- a/src/version.c +++ b/src/version.c @@ -734,6 +734,8 @@ static char *(features[]) = static int included_patches[] = { /* Add new patch number below this line */ +/**/ + 188, /**/ 187, /**/