Skip to content

Commit

Permalink
Prevent insecure plugin names.
Browse files Browse the repository at this point in the history 
Plugins' names which contain '../', '$HOME', '%:h:h', '..\', etc.
can be dangerous.
Use a sensible whitelist for plugin names and prevent its expansion.
  • Loading branch information
Shahaf Arad committed Mar 21, 2015
1 parent 34a3077 commit 2506347
Showing 1 changed file with 4 additions and 1 deletion.
5 changes: 4 additions & 1 deletion autoload/vundle/config.vim
View file
Original file line number Diff line number Diff line change
Expand Up @@ -97,6 +97,9 @@ funct! s:check_bundle_name(bundle)
\ ' previously used the name "' . a:bundle.name . '"' .
\ '. Skipping Plugin ' . a:bundle.name_spec . '.'
return 0
elseif a:bundle.name !~ '\v^[A-Za-z0-9_-]%(\.?[A-Za-z0-9_-])*$'
echoerr 'Invalid plugin name: ' . a:bundle.name
return 0
endif
let s:bundle_names[a:bundle.name] = a:bundle.name_spec
return 1
Expand Down Expand Up @@ -262,7 +265,7 @@ let s:bundle = {}
" return -- the target location to clone this bundle to
" ---------------------------------------------------------------------------
func! s:bundle.path()
return s:expand_path(g:vundle#bundle_dir.'/'.self.name)
return s:expand_path(g:vundle#bundle_dir.'/') . self.name
endf


Expand Down

0 comments on commit 2506347

Please sign in to comment.