Overview

File restrict-shell-commands.patch of Package vim.15233

Index: vim74/src/eval.c
===================================================================
--- vim74.orig/src/eval.c
+++ vim74/src/eval.c
@@ -14017,6 +14017,9 @@ f_luaeval(argvars, rettv)
     char_u	*str;
     char_u	buf[NUMBUFLEN];
 
+    if (check_restricted() || check_secure())
+        return;
+
     str = get_tv_string_buf(&argvars[0], buf);
     do_luaeval(str, argvars + 1, rettv);
 }
@@ -14628,6 +14631,9 @@ f_mzeval(argvars, rettv)
     char_u	*str;
     char_u	buf[NUMBUFLEN];
 
+    if (check_restricted() || check_secure())
+        return;
+
     str = get_tv_string_buf(&argvars[0], buf);
     do_mzeval(str, rettv);
 }
@@ -14848,6 +14854,9 @@ f_py3eval(argvars, rettv)
     char_u	*str;
     char_u	buf[NUMBUFLEN];
 
+    if (check_restricted() || check_secure())
+        return;
+
     str = get_tv_string_buf(&argvars[0], buf);
     do_py3eval(str, rettv);
 }
@@ -14865,6 +14874,9 @@ f_pyeval(argvars, rettv)
     char_u	*str;
     char_u	buf[NUMBUFLEN];
 
+    if (check_restricted() || check_secure())
+        return;
+
     str = get_tv_string_buf(&argvars[0], buf);
     do_pyeval(str, rettv);
 }
Index: vim74/src/ex_docmd.c
===================================================================
--- vim74.orig/src/ex_docmd.c
+++ vim74/src/ex_docmd.c
@@ -2224,6 +2224,12 @@ do_one_cmd(cmdlinep, sourcing,
 	    goto doend;
 	}
 #endif
+    if (restricted != 0 && (ea.argt & EX_RESTRICT))
+	{
+	    errormsg = _("E981: Command not allowed in rvim");
+	    goto doend;
+	}
+
 	if (!curbuf->b_p_ma && (ea.argt & MODIFY))
 	{
 	    /* Command not allowed in non-'modifiable' buffer */
Index: vim74/src/ex_cmds.h
===================================================================
--- vim74.orig/src/ex_cmds.h
+++ vim74/src/ex_cmds.h
@@ -54,6 +54,7 @@
 #define CMDWIN	     0x100000L	/* allowed in cmdline window */
 #define MODIFY       0x200000L	/* forbidden in non-'modifiable' buffer */
 #define EXFLAGS      0x400000L	/* allow flags after count in argument */
+#define EX_RESTRICT  0x800000L   // forbidden in restricted mode
 #define FILES	(XFILE | EXTRA)	/* multiple extra files allowed */
 #define WORD1	(EXTRA | NOSPC)	/* one extra word allowed */
 #define FILE1	(FILES | NOSPC)	/* 1 file allowed, defaults to current file */
@@ -576,11 +577,11 @@ EX(CMD_ltag,		"ltag",	ex_tag,
 EX(CMD_lunmap,		"lunmap",	ex_unmap,
 			EXTRA|TRLBAR|NOTRLCOM|USECTRLV|CMDWIN),
 EX(CMD_lua,		"lua",		ex_lua,
-			RANGE|EXTRA|NEEDARG|CMDWIN),
+			RANGE|EXTRA|NEEDARG|CMDWIN|EX_RESTRICT),
 EX(CMD_luado,		"luado",	ex_luado,
-			RANGE|DFLALL|EXTRA|NEEDARG|CMDWIN),
+			RANGE|DFLALL|EXTRA|NEEDARG|CMDWIN|EX_RESTRICT),
 EX(CMD_luafile,		"luafile",	ex_luafile,
-			RANGE|FILE1|NEEDARG|CMDWIN),
+			RANGE|FILE1|NEEDARG|CMDWIN|EX_RESTRICT),
 EX(CMD_lvimgrep,	"lvimgrep",	ex_vimgrep,
 			RANGE|NOTADR|BANG|NEEDARG|EXTRA|NOTRLCOM|TRLBAR|XFILE),
 EX(CMD_lvimgrepadd,	"lvimgrepadd",	ex_vimgrep,
@@ -622,9 +623,9 @@ EX(CMD_mkview,		"mkview",	ex_mkrc,
 EX(CMD_mode,		"mode",		ex_mode,
 			WORD1|TRLBAR|CMDWIN),
 EX(CMD_mzscheme,	"mzscheme",	ex_mzscheme,
-			RANGE|EXTRA|DFLALL|NEEDARG|CMDWIN|SBOXOK),
+			RANGE|EXTRA|DFLALL|NEEDARG|CMDWIN|SBOXOK|EX_RESTRICT),
 EX(CMD_mzfile,		"mzfile",	ex_mzfile,
-			RANGE|FILE1|NEEDARG|CMDWIN),
+			RANGE|FILE1|NEEDARG|CMDWIN|EX_RESTRICT),
 EX(CMD_next,		"next",		ex_next,
 			RANGE|NOTADR|BANG|FILES|EDITCMD|ARGOPT|TRLBAR),
 EX(CMD_nbkey,		"nbkey",	ex_nbkey,
@@ -742,19 +743,19 @@ EX(CMD_put,		"put",		ex_put,
 EX(CMD_pwd,		"pwd",		ex_pwd,
 			TRLBAR|CMDWIN),
 EX(CMD_python,		"python",	ex_python,
-			RANGE|EXTRA|NEEDARG|CMDWIN),
+			RANGE|EXTRA|NEEDARG|CMDWIN|EX_RESTRICT),
 EX(CMD_pydo,		"pydo",		ex_pydo,
-			RANGE|DFLALL|EXTRA|NEEDARG|CMDWIN),
+			RANGE|DFLALL|EXTRA|NEEDARG|CMDWIN|EX_RESTRICT),
 EX(CMD_pyfile,		"pyfile",	ex_pyfile,
-			RANGE|FILE1|NEEDARG|CMDWIN),
+			RANGE|FILE1|NEEDARG|CMDWIN|EX_RESTRICT),
 EX(CMD_py3,		"py3",		ex_py3,
-			RANGE|EXTRA|NEEDARG|CMDWIN),
+			RANGE|EXTRA|NEEDARG|CMDWIN|EX_RESTRICT),
 EX(CMD_py3do,		"py3do",	ex_py3do,
-			RANGE|DFLALL|EXTRA|NEEDARG|CMDWIN),
+			RANGE|DFLALL|EXTRA|NEEDARG|CMDWIN|EX_RESTRICT),
 EX(CMD_python3,		"python3",	ex_py3,
-			RANGE|EXTRA|NEEDARG|CMDWIN),
+			RANGE|EXTRA|NEEDARG|CMDWIN|EX_RESTRICT),
 EX(CMD_py3file,		"py3file",	ex_py3file,
-			RANGE|FILE1|NEEDARG|CMDWIN),
+			RANGE|FILE1|NEEDARG|CMDWIN|EX_RESTRICT),
 EX(CMD_quit,		"quit",		ex_quit,
 			BANG|TRLBAR|CMDWIN),
 EX(CMD_quitall,		"quitall",	ex_quit_all,
@@ -790,11 +791,11 @@ EX(CMD_rightbelow,	"rightbelow",	ex_wron
 EX(CMD_runtime,		"runtime",	ex_runtime,
 			BANG|NEEDARG|FILES|TRLBAR|SBOXOK|CMDWIN),
 EX(CMD_ruby,		"ruby",		ex_ruby,
-			RANGE|EXTRA|NEEDARG|CMDWIN),
+			RANGE|EXTRA|NEEDARG|CMDWIN|EX_RESTRICT),
 EX(CMD_rubydo,		"rubydo",	ex_rubydo,
-			RANGE|DFLALL|EXTRA|NEEDARG|CMDWIN),
+			RANGE|DFLALL|EXTRA|NEEDARG|CMDWIN|EX_RESTRICT),
 EX(CMD_rubyfile,	"rubyfile",	ex_rubyfile,
-			RANGE|FILE1|NEEDARG|CMDWIN),
+			RANGE|FILE1|NEEDARG|CMDWIN|EX_RESTRICT),
 EX(CMD_rundo,		"rundo",	ex_rundo,
 			NEEDARG|FILE1),
 EX(CMD_rviminfo,	"rviminfo",	ex_viminfo,
@@ -972,11 +973,11 @@ EX(CMD_tabrewind,	"tabrewind",	ex_tabnex
 EX(CMD_tabs,		"tabs",		ex_tabs,
 			TRLBAR|CMDWIN),
 EX(CMD_tcl,		"tcl",		ex_tcl,
-			RANGE|EXTRA|NEEDARG|CMDWIN),
+			RANGE|EXTRA|NEEDARG|CMDWIN|EX_RESTRICT),
 EX(CMD_tcldo,		"tcldo",	ex_tcldo,
-			RANGE|DFLALL|EXTRA|NEEDARG|CMDWIN),
+			RANGE|DFLALL|EXTRA|NEEDARG|CMDWIN|EX_RESTRICT),
 EX(CMD_tclfile,		"tclfile",	ex_tclfile,
-			RANGE|FILE1|NEEDARG|CMDWIN),
+			RANGE|FILE1|NEEDARG|CMDWIN|EX_RESTRICT),
 EX(CMD_tearoff,		"tearoff",	ex_tearoff,
 			NEEDARG|EXTRA|TRLBAR|NOTRLCOM|CMDWIN),
 EX(CMD_tfirst,		"tfirst",	ex_tag,
Index: vim74/src/if_perl.xs
===================================================================
--- vim74.orig/src/if_perl.xs
+++ vim74/src/if_perl.xs
@@ -816,6 +816,7 @@ VIM_init()
 #ifdef DYNAMIC_PERL
 static char *e_noperl = N_("Sorry, this command is disabled: the Perl library could not be loaded.");
 #endif
+static char *e_perlsandbox = N_("E299: Perl evaluation forbidden in sandbox without the Safe module");
 
 /*
  * ":perl"
@@ -865,13 +866,12 @@ ex_perl(eap)
 	vim_free(script);
     }
 
-#ifdef HAVE_SANDBOX
-    if (sandbox)
+    if (sandbox || secure)
     {
 	safe = perl_get_sv("VIM::safe", FALSE);
 # ifndef MAKE_TEST  /* avoid a warning for unreachable code */
 	if (safe == NULL || !SvTRUE(safe))
-	    EMSG(_("E299: Perl evaluation forbidden in sandbox without the Safe module"));
+	    EMSG(_(e_perlsandbox));
 	else
 # endif
 	{
@@ -883,7 +883,7 @@ ex_perl(eap)
 	}
     }
     else
-#endif
+
 	perl_eval_sv(sv, G_DISCARD | G_NOARGS);
 
     SvREFCNT_dec(sv);
openSUSE Build Service is sponsored by
Places