git.ipfire.org Git - thirdparty/vim.git/commit

author	Christian Brabandt <cb@256bit.org>
	Thu, 31 Aug 2023 21:52:30 +0000 (23:52 +0200)
committer	Christian Brabandt <cb@256bit.org>
	Thu, 31 Aug 2023 21:52:30 +0000 (23:52 +0200)
commit	816fbcc262687b81fc46f82f7bbeb1453addfe0c
tree	e48198ffea7b0b80669253fb970fdcc1d2f4c518	tree
parent	0ffa97e8fae5e73ff05ba24178cfc7206a3fe67e	commit \| diff

patch 9.0.1833: [security] runtime file fixes

Problem: runtime files may execute code in current dir
Solution: only execute, if not run from current directory

The perl, zig and ruby filetype plugins and the zip and gzip autoload
plugins may try to load malicious executable files from the current
working directory. This is especially a problem on windows, where the
current directory is implicitly in your $PATH and windows may even run a
file with the extension `.bat` because of $PATHEXT.

So make sure that we are not trying to execute a file from the current
directory. If this would be the case, error out (for the zip and gzip)
plugins or silently do not run those commands (for the ftplugins).

This assumes, that only the current working directory is bad. For all
other directories, it is assumed that those directories were
intentionally set to the $PATH by the user.

Signed-off-by: Christian Brabandt <cb@256bit.org>

runtime/autoload/gzip.vim		diff \| blob \| blame \| history
runtime/autoload/zip.vim		diff \| blob \| blame \| history
runtime/ftplugin/perl.vim		diff \| blob \| blame \| history
runtime/ftplugin/ruby.vim		diff \| blob \| blame \| history
runtime/ftplugin/zig.vim		diff \| blob \| blame \| history
src/version.c		diff \| blob \| blame \| history