patch 8.1.1365: source command doesn't check for the sandbox

Problem: Source command doesn't check for the sandbox. (Armin Razmjou) Solution: Check for the sandbox when sourcing a file.
vim · May 22, 2019 · 5357552 · 5357552
1 parent 5c017b2
commit 5357552
Show file tree

Hide file tree

Showing 3 changed files with 17 additions and 0 deletions.
diff --git a/src/getchar.c b/src/getchar.c
@@ -1407,6 +1407,12 @@ openscript(
 	emsg(_(e_nesting));
 	return;
     }
+
+    // Disallow sourcing a file in the sandbox, the commands would be executed
+    // later, possibly outside of the sandbox.
+    if (check_secure())
+	return;
+
 #ifdef FEAT_EVAL
     if (ignore_script)
 	/* Not reading from script, also don't open one.  Warning message? */

diff --git a/src/testdir/test_source.vim b/src/testdir/test_source.vim
@@ -36,3 +36,12 @@ func Test_source_cmd()
   au! SourcePre
   au! SourcePost
 endfunc
+
+func Test_source_sandbox()
+  new
+  call writefile(["Ohello\<Esc>"], 'Xsourcehello')
+  source! Xsourcehello | echo
+  call assert_equal('hello', getline(1))
+  call assert_fails('sandbox source! Xsourcehello', 'E48:')
+  bwipe!
+endfunc
diff --git a/src/version.c b/src/version.c
@@ -767,6 +767,8 @@ static char *(features[]) =
 
 static int included_patches[] =
 {   /* Add new patch number below this line */
+/**/
+    1365,
 /**/
     1364,
 /**/