Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Prevent insecure plugin names. #578

Merged
merged 1 commit into from
Mar 21, 2015
Merged

Prevent insecure plugin names. #578

merged 1 commit into from
Mar 21, 2015

Conversation

annagrram
Copy link
Contributor

Plugins' names which contain '../', '$HOME', '%:h:h', '..', etc.
can be dangerous.
Use a sensible whitelist for plugin names and prevent its expansion.

jdevera
jdevera reviewed Mar 21, 2015
View reviewed changes
autoload/vundle/config.vim
@@ -262,7 +265,7 @@ let s:bundle = {}
" return -- the target location to clone this bundle to
" ---------------------------------------------------------------------------
func! s:bundle.path()
return s:expand_path(g:vundle#bundle_dir.'/'.self.name)
return s:expand_path(g:bundle_dir.'/') . self.name
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We really want to keep the vundle#bundle_dir here. Otherwise I cannot even test this :)

@annagrram
Copy link
Contributor Author

Oops... missed that.
Give me a second.

@jdevera jdevera self-assigned this Mar 21, 2015
Prevent insecure plugin names.
2506347 
Plugins' names which contain '../', '$HOME', '%:h:h', '..\', etc.
can be dangerous.
Use a sensible whitelist for plugin names and prevent its expansion.
@annagrram annagrram force-pushed the plugin-names-security-enhancement branch from e3320cc to 2506347 Compare March 21, 2015 22:40
@annagrram
Copy link
Contributor Author

Note to myself: "Check even the most trivial rebases"

jdevera
jdevera reviewed Mar 21, 2015
View reviewed changes
autoload/vundle/config.vim
@@ -97,6 +97,9 @@ funct! s:check_bundle_name(bundle)
\ ' previously used the name "' . a:bundle.name . '"' .
\ '. Skipping Plugin ' . a:bundle.name_spec . '.'
return 0
elseif a:bundle.name !~ '\v^[A-Za-z0-9_-]%(\.?[A-Za-z0-9_-])*$'
echoerr 'Invalid plugin name: ' . a:bundle.name
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

When I run:
Plugin '..'

it shows me:

Error detected while processing function vundle#config#bundle..<SNR>10_check_bundle_name:
line    8:
Invalid plugin name: ..

So, cool :)

@jdevera
Copy link
Contributor

jdevera commented Mar 21, 2015

I'll merge it, hopefully people are not running plugins with funky names.

jdevera added a commit that referenced this pull request Mar 21, 2015
@jdevera
Merge pull request #578 from av3r4ge/plugin-names-security-enhancement
cfd3b2d 
Prevent insecure plugin names.
@jdevera jdevera merged commit cfd3b2d into VundleVim:master Mar 21, 2015
@annagrram
Copy link
Contributor Author

👍

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
2 participants
@annagrram @jdevera