Commit Graph

4 Commits

Author SHA1 Message Date
zeertzjq
346a639028
vim-patch:9.1.0220: Few typos in source and test files (#28076)
Problem:  Typos in code and tests.
Solution: Fix typos (zeertzjq).

closes: vim/vim#14321

c029c131ea
2024-03-28 19:03:27 +08:00
zeertzjq
9dc440400c
vim-patch:9.0.2068: [security] overflow in :history (#25794)
Problem:  [security] overflow in :history
Solution: Check that value fits into int

The get_list_range() function, used to parse numbers for the :history
and :clist command internally uses long variables to store the numbers.
However function arguments are integer pointers, which can then
overflow.

Check that the return value from the vim_str2nr() function is not larger
than INT_MAX and if yes, bail out with an error. I guess nobody uses a
cmdline/clist history that needs so many entries... (famous last words).

It is only a moderate vulnerability, so impact should be low.

Github Advisory:
https://github.com/vim/vim/security/advisories/GHSA-q22m-h7m2-9mgm

9198c1f2b1

N/A patch:
vim-patch:9.0.2073: typo in quickfix.c comments

Co-authored-by: Christian Brabandt <cb@256bit.org>
2023-10-27 06:37:52 +08:00
zeertzjq
5821c857e0 vim-patch:9.0.1968: cmdline completion should consider key option
Problem:  cmdline completion should consider key option
Solution: Disable cmdline completion for key option, slightly
          refactor how P_NO_CMD_EXPAND is handled

Harden crypto 'key' option: turn off cmdline completion, disable set-=

"set-=" can be used maliciously with a crypto key, as it allows an
attacker (who either has access to the computer or a plugin author) to
guess a substring by observing the modified state. Simply turn off
set+=/-=/^= for this option as there is no good reason for them to be
used.

Update docs to make that clear as well.

Also, don't allow cmdline completion for 'key' as it just shows *****
which is not useful and confusing to the user what it means (if the user
accidentally hits enter they will have replaced their key with "*****"
instead).

Move logic to better location, don't use above 32-bit for flags

Move P_NO_CMD_EXPAND to use the unused 0x20 instead of going above
32-bits, as currently the flags parameter is only 32-bits on some
systems. Left a comment to warn that future additions will need to
change how the flags work either by making it 64-bit or split into two
member vars.

Also, move the logic for detecting P_NO_CMD_EXPAND earlier so it's not
up to each handler to decide, and you won't see the temporary "..." that
Vim shows while waiting for completion handler to complete.

closes: vim/vim#13224

6ee7b521fa

Co-authored-by: Yee Cheng Chin <ychin.git@gmail.com>
2023-10-01 20:00:23 +08:00
dundargoc
af23d17388
test: move oldtests to test directory (#22536)
The new oldtest directory is in test/old/testdir. The reason for this is
that many tests have hardcoded the parent directory name to be
'testdir'.
2023-03-07 11:13:04 +08:00