runtime: don't execute external commands when loading ftplugins
This is a followup to 816fbcc262687b81fc46f82f7bbeb1453addfe0c (patch
9.0.1833: [security] runtime file fixes)
It basically disables that external commands are run on loading of the
filetype plugin, **unless** the user has set the `g:plugin_exec = 1`
global variable in their configuration or for a specific filetype the
variable g:<filetype>_exec=1.
There are a few more plugins, that may execute system commands like
debchangelog, gitcommit, sh, racket, zsh, ps1 but those do at least
do not run those commands by default during loading of the filetype plugin
(there the command is mostly run as convenience for auto-completion or
to provide documentation lookup).
closes: vim/vim#13034f7ac0ef509
Co-authored-by: Christian Brabandt <cb@256bit.org>
Co-authored-by: Tim Pope <vim@tpope.org>
runtime(ftplugin): allow to exec if curdir is in PATH
In case the current directory is present as valid $PATH entry, it is OK
to call the program from it, even if vim curdir is in that same
directory.
(Without that patch, for instance, you will not be able to open .zip
files while your current directory is /bin)
closes: vim/vim#1302767c951df4c
Co-authored-by: Anton Sharonov <anton.sharonov@gmail.com>
Problem: CI may fail in test_recover_empty_swap
Solution: Set directory option
Fix failing Test_recover_empty_swap test
:recover by default not only looks in the current directory, but also in
~/tmp for files to recover. If it finds some files to recover, it will
interactively prompt for a file to recover. However, prompting doesn't
work when running the test suite (and even if it would, there is no one
that can answer the prompt).
So it doesn't really make sense during testing, to inspect different
directories for swap files and prompt and wait (which will lead to a
timeout and therefore a failing test).
So set the 'directory' option temporarily to the current directory only
and reset it back once the test finishes.
closes: vim/vim#130381c7397f3f1
Co-authored-by: Christian Brabandt <cb@256bit.org>
Problem: Too many delete() calls in tests.
Solution: Use deferred delete where possible.
db77cb3c08
Include test_recover.vim changes only.
Cherry-pick test_recover.vim change from patch 8.2.3637.
Co-authored-by: Bram Moolenaar <Bram@vim.org>
runtime: Fix problem of checking wrong cwd for ruby ftplugin (vim/vim#13026)
282a94be99
Co-authored-by: Anton Sharonov (ant0sha) <109120102+ant0sha@users.noreply.github.com>
Co-authored-by: Anton Sharonov <anton.sharonov@gmail.com>
runtime(php): Update the php indent script to the 1.75 (from 1.70) (vim/vim#13025)
Changes:
1.75:
- Fix 2072/PHP-Indenting-for-VImvim/vim#87: The indent optimization was causing wrong indentation of lines
preceded by a line ending with '}' when preceded by non white characters.
- Fix long standing non-reported regex escaping issue in cleaning end of line
comments function. This should help fixing some other unreported issues when
parts of codes are commented out at ends of lines...
1.74:
- Fix 2072/PHP-Indenting-for-VImvim/vim#86: Add support for `match` expression.
1.73:
- Fix 2072/PHP-Indenting-for-VImvim/vim#77 where multi line strings and true/false keywords at beginning of a
line would cause indentation failures.
1.72:
- Fix vim/vimvim/vim#5722 where it was reported that the option PHP_BracesAtCodeLevel
had not been working for the last 6 years.
1.71:
- Fix 2072/PHP-Indenting-for-VImvim/vim#75 where the indent script would hang on some multi-line quoted strings.
3170342af3
Co-authored-by: John Wellesz <john.wellesz@gmail.com>
vim-patch:9.0.1866: undo is synced after character find
Problem: Undo is synced after character find.
Solution: Set no_u_sync when calling gotchars_nop().
closes: vim/vim#13022closes: vim/vim#13024dccc29c228
- simplify lua interpreter search
- fix incorrect variable name in BuildLua.cmake
- build PUC Lua with -O2
- silence non-mandatory find_package search for libuv
- simplify Find modules
- Prefer using the explicitly set CI_BUILD over relying on the
environment variable "CI".
This partially reverts commit 7d0479c558.
The job has been particularly unstable when used with docker on
cirrus-ci, which is especially bad as it's meant to be a non-flaky and
simple test.
Problem: buffer-overflow in vim_regsub_both()
Solution: Check remaining space
ced2c7394a
The change to do_sub() looks confusing. Maybe it's an overflow check?
Then the crash may not be applicable to Nvim because of different casts.
The test also looks confusing. It seems to source itself recursively.
Also don't call strlen() twice on evaluation result.
N/A patches for version.c:
vim-patch:9.0.1849: CI error on different signedness in ex_cmds.c
vim-patch:9.0.1853: CI error on different signedness in regexp.c
Co-authored-by: Christian Brabandt <cb@256bit.org>
Problem: use-after-free in do_ecmd
Solution: Verify oldwin pointer after reset_VIsual()
e1dc9a6275
N/A patches for version.c:
vim-patch:9.0.1841: style: trailing whitespace in ex_cmds.c
Co-authored-by: Christian Brabandt <cb@256bit.org>
Problem: potential oob write in do_addsub()
Solution: don't overflow buf2, check size in for loop()
889f6af371
Co-authored-by: Christian Brabandt <cb@256bit.org>
Downloading the necessary files all at once instead of doing dependency
handling with luarocks speeds up installation immensely. We speed up the
process even more by using luv as a replacement for the C modules in the
busted dependencies, which allows us to skip costly compilation times.
Co-authored-by: bfredl <bjorn.linse@gmail.com>
runtime(ruby): Update syntax, indent and ftplugin files
While making changes to the ruby ftplugin, slightly change the exepath()
conditional from patch 9.0.1833 and move it after the :cd invocation.
closes: 12981
closes: 12994
da16a1b471
Co-authored-by: Doug Kearns <dougkearns@gmail.com>
Co-authored-by: Tim Pope <code@tpope.net>
Problem: runtime files may execute code in current dir
Solution: only execute, if not run from current directory
The perl, zig and ruby filetype plugins and the zip and gzip autoload
plugins may try to load malicious executable files from the current
working directory. This is especially a problem on windows, where the
current directory is implicitly in your $PATH and windows may even run a
file with the extension `.bat` because of $PATHEXT.
So make sure that we are not trying to execute a file from the current
directory. If this would be the case, error out (for the zip and gzip)
plugins or silently do not run those commands (for the ftplugins).
This assumes, that only the current working directory is bad. For all
other directories, it is assumed that those directories were
intentionally set to the $PATH by the user.
816fbcc262
Co-authored-by: Christian Brabandt <cb@256bit.org>
Problem: Wrong cursor position with virtual text before double-width
char at window edge.
Solution: Check for double-width char before adding virtual text size.
closes: vim/vim#12977ac2d8815ae
