From: Christian Brabandt Date: Sun, 31 May 2026 20:00:14 +0000 (+0000) Subject: patch 9.2.0576: popup_create() not blocked in secure/sandbox X-Git-Tag: v9.2.0576^0 X-Git-Url: http://git.ipfire.org/gitweb/index.cgi?a=commitdiff_plain;h=4f1cd5f78a6a7926f03b159fee8b63c5de558094;p=thirdparty%2Fvim.git patch 9.2.0576: popup_create() not blocked in secure/sandbox Problem: popup_create() is not gated by check_secure(), unlike the similar deferred-callback registrars timer_start() and feedkeys(). A popup created with a 'time' and 'callback' (or with close/filter callbacks) registers code that runs after the secure/sandbox context has been left, which is inconsistent with how timer_start() and feedkeys() handle the same situation. Solution: Call check_secure() at the top of popup_create(), matching the timer_start()/feedkeys() pattern. closes: #20400 Signed-off-by: Christian Brabandt --- diff --git a/src/popupwin.c b/src/popupwin.c index 624e20c613..87ea44de50 100644 --- a/src/popupwin.c +++ b/src/popupwin.c @@ -2864,6 +2864,9 @@ popup_create(typval_T *argvars, typval_T *rettv, create_type_T type) dict_T *d = NULL; int i; + if (check_secure()) + return NULL; + if (argvars != NULL) { if (in_vim9script() diff --git a/src/testdir/test_popup.vim b/src/testdir/test_popup.vim index cf9cbe166e..32b2801888 100644 --- a/src/testdir/test_popup.vim +++ b/src/testdir/test_popup.vim @@ -2632,4 +2632,8 @@ func Test_popup_opacity_move_after_close() call StopVimInTerminal(buf) endfunc +func Test_popup_create_sandbox() + call assert_fails('sandbox call popup_create("hello", {})', 'E48:') +endfunc + " vim: shiftwidth=2 sts=2 expandtab diff --git a/src/version.c b/src/version.c index e1dd6429bf..dab821ad64 100644 --- a/src/version.c +++ b/src/version.c @@ -729,6 +729,8 @@ static char *(features[]) = static int included_patches[] = { /* Add new patch number below this line */ +/**/ + 576, /**/ 575, /**/