vim-patch:8.1.1366: using expressions in a modeline is unsafe

Problem:    Using expressions in a modeline is unsafe.
Solution:   Disallow using expressions in a modeline, unless the
            'modelineexpr' option is set.  Update help, add more tests.
110289e781

src/nvim/generators/gen_options.lua

@@ -79,6 +79,7 @@ local get_flags = function(o)
     {'pri_mkrc'},
     {'deny_in_modelines', 'P_NO_ML'},
     {'deny_duplicates', 'P_NODUP'},
+    {'modelineexpr', 'P_MLE'},
   }) do
     local key_name = flag_desc[1]
     local def_name = flag_desc[2] or ('P_' .. key_name:upper())

src/nvim/option.c

@@ -253,6 +253,7 @@ typedef struct vimoption {
 #define P_RWINONLY     0x10000000U  ///< only redraw current window
 #define P_NDNAME       0x20000000U  ///< only normal dir name chars allowed
 #define P_UI_OPTION    0x40000000U  ///< send option to remote ui
+#define P_MLE          0x80000000U  ///< under control of 'modelineexpr'
 
 #define HIGHLIGHT_INIT \
   "8:SpecialKey,~:EndOfBuffer,z:TermCursor,Z:TermCursorNC,@:NonText," \
@@ -1327,6 +1328,11 @@ int do_set(
           errmsg = (char_u *)_("E520: Not allowed in a modeline");
           goto skip;
         }
+        if ((flags & P_MLE) && !p_mle) {
+          errmsg = (char_u *)_(
+              "E992: Not allowed in a modeline when 'modelineexpr' is off");
+          goto skip;
+        }
         // In diff mode some options are overruled.  This avoids that
         // 'foldmethod' becomes "marker" instead of "diff" and that
         // "wrap" gets set.

src/nvim/option_defs.h

@@ -496,6 +496,7 @@ EXTERN long p_mmd;              // 'maxmapdepth'
 EXTERN long p_mmp;              // 'maxmempattern'
 EXTERN long p_mis;              // 'menuitems'
 EXTERN char_u   *p_msm;         // 'mkspellmem'
+EXTERN long p_mle;              // 'modelineexpr'
 EXTERN long p_mls;              // 'modelines'
 EXTERN char_u   *p_mouse;       // 'mouse'
 EXTERN char_u   *p_mousem;      // 'mousemodel'

src/nvim/options.lua

@@ -8,6 +8,7 @@
 --    defaults={condition=nil, if_true={vi=224, vim=0}, if_false=nil},
 --    secure=nil, gettext=nil, noglob=nil, normal_fname_chars=nil,
 --    pri_mkrc=nil, deny_in_modelines=nil, normal_dname_chars=nil,
+--    modelineexpr=nil,
 --    expand=nil, nodefault=nil, no_mkrc=nil, vi_def=true, vim=true,
 --    alloced=nil,
 --    save_pv_indir=nil,
@@ -283,6 +284,7 @@ return {
       deny_duplicates=true,
       vi_def=true,
       expand=true,
+      secure=true,
       varname='p_cdpath',
       defaults={if_true={vi=",,"}}
     },
@@ -847,6 +849,7 @@ return {
       type='string', scope={'window'},
       vi_def=true,
       vim=true,
+      modelineexpr=true,
       alloced=true,
       redraw={'current_window'},
       defaults={if_true={vi="0"}}
@@ -922,6 +925,7 @@ return {
       type='string', scope={'window'},
       vi_def=true,
       vim=true,
+      modelineexpr=true,
       alloced=true,
       redraw={'current_window'},
       defaults={if_true={vi="foldtext()"}}
@@ -931,6 +935,7 @@ return {
       type='string', scope={'buffer'},
       vi_def=true,
       vim=true,
+      modelineexpr=true,
       alloced=true,
       varname='p_fex',
       defaults={if_true={vi=""}}
@@ -1045,6 +1050,7 @@ return {
       full_name='guitablabel', abbreviation='gtl',
       type='string', scope={'global'},
       vi_def=true,
+      modelineexpr=true,
       redraw={'current_window'},
       enable_if=false,
     },
@@ -1136,6 +1142,7 @@ return {
       full_name='iconstring',
       type='string', scope={'global'},
       vi_def=true,
+      modelineexpr=true,
       varname='p_iconstring',
       defaults={if_true={vi=""}}
     },
@@ -1198,6 +1205,7 @@ return {
       full_name='includeexpr', abbreviation='inex',
       type='string', scope={'buffer'},
       vi_def=true,
+      modelineexpr=true,
       alloced=true,
       varname='p_inex',
       defaults={if_true={vi=""}}
@@ -1214,6 +1222,7 @@ return {
       type='string', scope={'buffer'},
       vi_def=true,
       vim=true,
+      modelineexpr=true,
       alloced=true,
       varname='p_inde',
       defaults={if_true={vi=""}}
@@ -1527,6 +1536,13 @@ return {
       varname='p_ml',
       defaults={if_true={vi=false, vim=true}}
     },
+    {
+      full_name='modelineexpr', abbreviation='mle',
+      type='bool', scope={'global'},
+      vi_def=true,
+      varname='p_mle',
+      defaults={if_true={vi=false}}
+    },
     {
       full_name='modelines', abbreviation='mls',
       type='number', scope={'global'},
@@ -1903,6 +1919,7 @@ return {
       type='string', scope={'global'},
       vi_def=true,
       alloced=true,
+      modelineexpr=true,
       redraw={'statuslines'},
       varname='p_ruf',
       defaults={if_true={vi=""}}
@@ -2310,6 +2327,7 @@ return {
       type='string', scope={'global', 'window'},
       vi_def=true,
       alloced=true,
+      modelineexpr=true,
       redraw={'statuslines'},
       varname='p_stl',
       defaults={if_true={vi=""}}
@@ -2369,6 +2387,7 @@ return {
       full_name='tabline', abbreviation='tal',
       type='string', scope={'global'},
       vi_def=true,
+      modelineexpr=true,
       redraw={'all_windows'},
       varname='p_tal',
       defaults={if_true={vi=""}}
@@ -2528,6 +2547,7 @@ return {
       full_name='titlestring',
       type='string', scope={'global'},
       vi_def=true,
+      modelineexpr=true,
       varname='p_titlestring',
       defaults={if_true={vi=""}}
     },

src/nvim/testdir/test49.in

@@ -4,7 +4,7 @@ If after adding a new test, the test output doesn't appear properly in
 test49.failed, try to add one or more "G"s at the line ending in "test.out"
 
 STARTTEST
-:se nomore
+:se nomore modelineexpr
 :lang mess C
 :so test49.vim
 :" Go back to this file and append the results from register r.

src/nvim/testdir/test_modeline.vim

@@ -60,14 +60,17 @@ func Test_modeline_keymap()
   set keymap= iminsert=0 imsearch=-1
 endfunc
 
-func s:modeline_fails(what, text)
+func s:modeline_fails(what, text, error)
+  if !exists('+' . a:what)
+    return
+  endif
   let fname = "Xmodeline_fails_" . a:what
   call writefile(['vim: set ' . a:text . ' :', 'nothing'], fname)
   let modeline = &modeline
   set modeline
   filetype plugin on
   syntax enable
-  call assert_fails('split ' . fname, 'E474:')
+  call assert_fails('split ' . fname, a:error)
   call assert_equal("", &filetype)
   call assert_equal("", &syntax)
 
@@ -79,16 +82,91 @@ func s:modeline_fails(what, text)
 endfunc
 
 func Test_modeline_filetype_fails()
-  call s:modeline_fails('filetype', 'ft=evil$CMD')
+  call s:modeline_fails('filetype', 'ft=evil$CMD', 'E474:')
 endfunc
 
 func Test_modeline_syntax_fails()
-  call s:modeline_fails('syntax', 'syn=evil$CMD')
+  call s:modeline_fails('syntax', 'syn=evil$CMD', 'E474:')
 endfunc
 
 func Test_modeline_keymap_fails()
-  if !has('keymap')
-    return
-  endif
-  call s:modeline_fails('keymap', 'keymap=evil$CMD')
+  call s:modeline_fails('keymap', 'keymap=evil$CMD', 'E474:')
+endfunc
+
+func Test_modeline_fails_always()
+  call s:modeline_fails('backupdir', 'backupdir=Something()', 'E520:')
+  call s:modeline_fails('cdpath', 'cdpath=Something()', 'E520:')
+  call s:modeline_fails('charconvert', 'charconvert=Something()', 'E520:')
+  call s:modeline_fails('completefunc', 'completefunc=Something()', 'E520:')
+  call s:modeline_fails('cscopeprg', 'cscopeprg=Something()', 'E520:')
+  call s:modeline_fails('diffexpr', 'diffexpr=Something()', 'E520:')
+  call s:modeline_fails('directory', 'directory=Something()', 'E520:')
+  call s:modeline_fails('equalprg', 'equalprg=Something()', 'E520:')
+  call s:modeline_fails('errorfile', 'errorfile=Something()', 'E520:')
+  call s:modeline_fails('exrc', 'exrc=Something()', 'E520:')
+  call s:modeline_fails('formatprg', 'formatprg=Something()', 'E520:')
+  call s:modeline_fails('fsync', 'fsync=Something()', 'E520:')
+  call s:modeline_fails('grepprg', 'grepprg=Something()', 'E520:')
+  call s:modeline_fails('helpfile', 'helpfile=Something()', 'E520:')
+  call s:modeline_fails('imactivatefunc', 'imactivatefunc=Something()', 'E520:')
+  call s:modeline_fails('imstatusfunc', 'imstatusfunc=Something()', 'E520:')
+  call s:modeline_fails('imstyle', 'imstyle=Something()', 'E520:')
+  call s:modeline_fails('keywordprg', 'keywordprg=Something()', 'E520:')
+  call s:modeline_fails('langmap', 'langmap=Something()', 'E520:')
+  call s:modeline_fails('luadll', 'luadll=Something()', 'E520:')
+  call s:modeline_fails('makeef', 'makeef=Something()', 'E520:')
+  call s:modeline_fails('makeprg', 'makeprg=Something()', 'E520:')
+  call s:modeline_fails('makespellmem', 'makespellmem=Something()', 'E520:')
+  call s:modeline_fails('mzschemedll', 'mzschemedll=Something()', 'E520:')
+  call s:modeline_fails('mzschemegcdll', 'mzschemegcdll=Something()', 'E520:')
+  call s:modeline_fails('omnifunc', 'omnifunc=Something()', 'E520:')
+  call s:modeline_fails('operatorfunc', 'operatorfunc=Something()', 'E520:')
+  call s:modeline_fails('perldll', 'perldll=Something()', 'E520:')
+  call s:modeline_fails('printdevice', 'printdevice=Something()', 'E520:')
+  call s:modeline_fails('patchexpr', 'patchexpr=Something()', 'E520:')
+  call s:modeline_fails('printexpr', 'printexpr=Something()', 'E520:')
+  call s:modeline_fails('pythondll', 'pythondll=Something()', 'E520:')
+  call s:modeline_fails('pythonhome', 'pythondll=Something()', 'E520:')
+  call s:modeline_fails('pythonthreedll', 'pythonthreedll=Something()', 'E520:')
+  call s:modeline_fails('pythonthreehome', 'pythonthreehome=Something()', 'E520:')
+  call s:modeline_fails('pyxversion', 'pyxversion=Something()', 'E520:')
+  call s:modeline_fails('rubydll', 'rubydll=Something()', 'E520:')
+  call s:modeline_fails('runtimepath', 'runtimepath=Something()', 'E520:')
+  call s:modeline_fails('secure', 'secure=Something()', 'E520:')
+  call s:modeline_fails('shell', 'shell=Something()', 'E520:')
+  call s:modeline_fails('shellcmdflag', 'shellcmdflag=Something()', 'E520:')
+  call s:modeline_fails('shellpipe', 'shellpipe=Something()', 'E520:')
+  call s:modeline_fails('shellquote', 'shellquote=Something()', 'E520:')
+  call s:modeline_fails('shellredir', 'shellredir=Something()', 'E520:')
+  call s:modeline_fails('shellxquote', 'shellxquote=Something()', 'E520:')
+  call s:modeline_fails('spellfile', 'spellfile=Something()', 'E520:')
+  call s:modeline_fails('spellsuggest', 'spellsuggest=Something()', 'E520:')
+  call s:modeline_fails('tcldll', 'tcldll=Something()', 'E520:')
+  call s:modeline_fails('titleold', 'titleold=Something()', 'E520:')
+  call s:modeline_fails('viewdir', 'viewdir=Something()', 'E520:')
+  call s:modeline_fails('viminfo', 'viminfo=Something()', 'E520:')
+  call s:modeline_fails('viminfofile', 'viminfofile=Something()', 'E520:')
+  call s:modeline_fails('winptydll', 'winptydll=Something()', 'E520:')
+  call s:modeline_fails('undodir', 'undodir=Something()', 'E520:')
+  " only check a few terminal options
+  " Skip these since nvim doesn't support termcodes as options
+  "call s:modeline_fails('t_AB', 't_AB=Something()', 'E520:')
+  "call s:modeline_fails('t_ce', 't_ce=Something()', 'E520:')
+  "call s:modeline_fails('t_sr', 't_sr=Something()', 'E520:')
+  "call s:modeline_fails('t_8b', 't_8b=Something()', 'E520:')
+endfunc
+
+func Test_modeline_fails_modelineexpr()
+  call s:modeline_fails('balloonexpr', 'balloonexpr=Something()', 'E992:')
+  call s:modeline_fails('foldexpr', 'foldexpr=Something()', 'E992:')
+  call s:modeline_fails('foldtext', 'foldtext=Something()', 'E992:')
+  call s:modeline_fails('formatexpr', 'formatexpr=Something()', 'E992:')
+  call s:modeline_fails('guitablabel', 'guitablabel=Something()', 'E992:')
+  call s:modeline_fails('iconstring', 'iconstring=Something()', 'E992:')
+  call s:modeline_fails('includeexpr', 'includeexpr=Something()', 'E992:')
+  call s:modeline_fails('indentexpr', 'indentexpr=Something()', 'E992:')
+  call s:modeline_fails('rulerformat', 'rulerformat=Something()', 'E992:')
+  call s:modeline_fails('statusline', 'statusline=Something()', 'E992:')
+  call s:modeline_fails('tabline', 'tabline=Something()', 'E992:')
+  call s:modeline_fails('titlestring', 'titlestring=Something()', 'E992:')
 endfunc