patch 9.0.2070: [security] disallow setting env in restricted mode

Problem:  [security] disallow setting env in restricted mode
Solution: Setting environment variables in restricted mode could
          potentially be used to execute shell commands. Disallow this.

restricted mode: disable allow setting of environment variables

Setting environment variables in restricted mode, may have some unwanted
consequences. So, for example by setting $GCONV_PATH in restricted mode
and then calling the iconv() function, one may be able to execute some
unwanted payload, because the `iconv_open()` function internally uses
the `$GCONV_PATH` variable to find its conversion data.

So let's disable setting environment variables, even so this is no
complete protection, since we are not clearing the existing environment.
I tried a few ways but wasn't successful :(

One could also argue to disable the iconv() function completely in
restricted mode, but who knows what other API functions can be
influenced by setting some other unrelated environment variables.
So let's leave it as it is currently.

closes: #13394
See: https://huntr.com/bounties/b0a2eda1-459c-4e36-98e6-0cc7d7faccfe/

Signed-off-by: Christian Brabandt <cb@256bit.org>

diff --git a/runtime/doc/starting.txt b/runtime/doc/starting.txt
index f7e98c7bef4f18d72bc633e842548d624b82fd69..1e7daa6b51282827ec23bf724399f1e433720462 100644 (file)
--- a/runtime/doc/starting.txt
+++ b/runtime/doc/starting.txt
@@ -1,4 +1,4 @@
-*starting.txt*  For Vim version 9.0.  Last change: 2023 Oct 17
+*starting.txt*  For Vim version 9.0.  Last change: 2023 Oct 20
 
 
                  VIM REFERENCE MANUAL    by Bram Moolenaar
@@ -249,10 +249,10 @@ a slash.  Thus "-R" means recovery and "-/R" readonly.
                                        *-Z* *restricted-mode* *E145* *E981*
 -Z             Restricted mode.  All commands that make use of an external
                shell are disabled.  This includes suspending with CTRL-Z,
-               ":sh", filtering, the system() function, backtick expansion
+               ":sh", filtering, the |system()| function, backtick expansion
                and libcall().
-               Also disallowed are delete(), rename(), mkdir(), job_start(),
-               etc.
+               Also disallowed are |delete()|, |rename()|, |mkdir()|,
+               |job_start()|, |setenv()| etc.
                Interfaces, such as Python, Ruby and Lua, are also disabled,
                since they could be used to execute shell commands.  Perl uses
                the Safe module.

diff --git a/src/evalfunc.c b/src/evalfunc.c
index f9b81c6054c2d0320225dca66c7293ca84574a88..9e4e26ba0c50633181957f02a763b008e63352ab 100644 (file)
--- a/src/evalfunc.c
+++ b/src/evalfunc.c
@@ -9723,6 +9723,12 @@ f_setenv(typval_T *argvars, typval_T *rettv UNUSED)
     if (in_vim9script() && check_for_string_arg(argvars, 0) == FAIL)
        return;
 
+    // seting an environment variable may be dangerous, e.g. you could
+    // setenv GCONV_PATH=/tmp and then have iconv() unexpectedly call
+    // a shell command using some shared library:
+    if (check_restricted() || check_secure())
+       return;
+
     name = tv_get_string_buf(&argvars[0], namebuf);
     if (argvars[1].v_type == VAR_SPECIAL
                                      && argvars[1].vval.v_number == VVAL_NULL)

diff --git a/src/version.c b/src/version.c
index 890e92c7cb1cd1f77451043557dea437b7852431..2bcdfc9736b23097703bafb249ce52ada0835bbb 100644 (file)
--- a/src/version.c
+++ b/src/version.c
@@ -704,6 +704,8 @@ static char *(features[]) =
 
 static int included_patches[] =
 {   /* Add new patch number below this line */
+/**/
+    2070,
 /**/
     2069,
 /**/