-
Notifications
You must be signed in to change notification settings - Fork 2.6k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Prevent insecure plugin names. #578
Prevent insecure plugin names. #578
Conversation
@@ -262,7 +265,7 @@ let s:bundle = {} | |||
" return -- the target location to clone this bundle to | |||
" --------------------------------------------------------------------------- | |||
func! s:bundle.path() | |||
return s:expand_path(g:vundle#bundle_dir.'/'.self.name) | |||
return s:expand_path(g:bundle_dir.'/') . self.name |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
We really want to keep the vundle#bundle_dir
here. Otherwise I cannot even test this :)
Oops... missed that. |
Plugins' names which contain '../', '$HOME', '%:h:h', '..\', etc. can be dangerous. Use a sensible whitelist for plugin names and prevent its expansion.
e3320cc
to
2506347
Compare
Note to myself: "Check even the most trivial rebases" |
@@ -97,6 +97,9 @@ funct! s:check_bundle_name(bundle) | |||
\ ' previously used the name "' . a:bundle.name . '"' . | |||
\ '. Skipping Plugin ' . a:bundle.name_spec . '.' | |||
return 0 | |||
elseif a:bundle.name !~ '\v^[A-Za-z0-9_-]%(\.?[A-Za-z0-9_-])*$' | |||
echoerr 'Invalid plugin name: ' . a:bundle.name |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
When I run:
Plugin '..'
it shows me:
Error detected while processing function vundle#config#bundle..<SNR>10_check_bundle_name:
line 8:
Invalid plugin name: ..
So, cool :)
I'll merge it, hopefully people are not running plugins with funky names. |
Prevent insecure plugin names.
👍 |
Plugins' names which contain '../', '$HOME', '%:h:h', '..', etc.
can be dangerous.
Use a sensible whitelist for plugin names and prevent its expansion.