vim-patch:9.2.0699: [security]: possible code execution with python complete (#40363)

Problem:  [security]: possible code execution with python complete
          (morningbread)
Solution: Use repr() to quote the doc strings correctly

Github Security Advisory:
https://github.com/vim/vim/security/advisories/GHSA-ppj8-wqjf-6fp3

Supported by AI

cce141c427

Co-authored-by: Christian Brabandt <cb@256bit.org>
This commit is contained in:
zeertzjq
2026-06-22 10:26:37 +08:00
committed by GitHub
parent e59684318e
commit 7d0adc08f7
3 changed files with 25 additions and 8 deletions

View File

@@ -221,4 +221,19 @@ func Test_python3complete_allow_import_on_runs_imports()
\ 'g:pythoncomplete_allow_import=1 did not run the buffer import')
endfunc
func Test_python3complete_no_exec_via_class_docstring()
" A class-body docstring is emitted verbatim between triple quotes by
" get_code() and runs at class-definition time during exec(). A single-
" quoted source docstring lets an embedded """ survive doc()'s leading/
" trailing quote strip and break out of the generated literal.
let marker = tempname()
call s:CompleteAndExpectNoMarker([
\ 'class Foo:',
\ ' ''x"""+open("' . marker . '", "w").close()+"""y''',
\ ' pass',
\ 'Foo.',
\ ], marker,
\ 'class docstring expression was evaluated during omni-completion')
endfunc
" vim: shiftwidth=2 sts=2 expandtab