vim-patch:8.1.1365: source command doesn't check for the sandbox

Problem: Source command doesn't check for the sandbox. (Armin Razmjou) Solution: Check for the sandbox when sourcing a file. 5357552140
2025-09-27 13:38:34 +00:00 · 2019-06-22 21:13:01 -04:00
parent 433c136a8a
commit 45bb1757bf
2 changed files with 17 additions and 0 deletions
--- a/src/nvim/getchar.c
+++ b/src/nvim/getchar.c
@@ -1253,6 +1253,13 @@ openscript (
    EMSG(_(e_nesting));
    return;
  }
+
+  // Disallow sourcing a file in the sandbox, the commands would be executed
+  // later, possibly outside of the sandbox.
+  if (check_secure()) {
+    return;
+  }
+
  if (ignore_script)
    /* Not reading from script, also don't open one.  Warning message? */
    return;
--- a/src/nvim/testdir/test_source.vim
+++ b/src/nvim/testdir/test_source.vim
@@ -0,0 +1,10 @@
+" Tests for the :source command.
+
+func Test_source_sandbox()
+  new
+  call writefile(["Ohello\<Esc>"], 'Xsourcehello')
+  source! Xsourcehello | echo
+  call assert_equal('hello', getline(1))
+  call assert_fails('sandbox source! Xsourcehello', 'E48:')
+  bwipe!
+endfunc