Problem: May pass weird strings to file name expansion.
Solution: Check for matching characters. Disallow control characters.
{
for ( ; *p; MB_PTR_ADV(p))
{
- /* Allow for escaping. */
- if (*p == '\\' && p[1] != NUL)
+ // Disallow line break characters.
+ if (*p == '\r' || *p == '\n')
+ break;
+ // Allow for escaping.
+ if (*p == '\\' && p[1] != NUL && p[1] != '\r' && p[1] != '\n')
++p;
else if (vim_strchr((char_u *)SPECIAL_WILDCHAR, *p) != NULL)
+ {
+ // A { must be followed by a matching }.
+ if (*p == '{' && vim_strchr(p, '}') == NULL)
+ continue;
+ // A quote and backtick must be followed by another one.
+ if ((*p == '`' || *p == '\'') && vim_strchr(p, *p) == NULL)
+ continue;
return TRUE;
+ }
}
return FALSE;
}
}
/*
- * Return TRUE if "val" is a valid 'filetype' name.
- * Also used for 'syntax' and 'keymap'.
+ * Return TRUE if "val" is a valid name: only consists of alphanumeric ASCII
+ * characters or characters in "allowed".
*/
static int
-valid_filetype(char_u *val)
+valid_name(char_u *val, char *allowed)
{
char_u *s;
for (s = val; *s != NUL; ++s)
- if (!ASCII_ISALNUM(*s) && vim_strchr((char_u *)".-_", *s) == NULL)
+ if (!ASCII_ISALNUM(*s) && vim_strchr((char_u *)allowed, *s) == NULL)
return FALSE;
return TRUE;
}
+/*
+ * Return TRUE if "val" is a valid 'filetype' name.
+ * Also used for 'syntax' and 'keymap'.
+ */
+ static int
+valid_filetype(char_u *val)
+{
+ return valid_name(val, ".-_");
+}
+
+/*
+ * Return TRUE if "val" is a valid 'spellang' value.
+ */
+ int
+valid_spellang(char_u *val)
+{
+ return valid_name(val, ".-_,");
+}
+
/*
* Handle string options that need some action to perform when changed.
* Returns NULL for success, or an error message for an error.
else if (varp == &(curwin->w_s->b_p_spl)
|| varp == &(curwin->w_s->b_p_spf))
{
- errmsg = did_set_spell_option(varp == &(curwin->w_s->b_p_spf));
+ if (!valid_spellang(*varp))
+ errmsg = e_invarg;
+ else
+ errmsg = did_set_spell_option(varp == &(curwin->w_s->b_p_spf));
}
/* When 'spellcapcheck' is set compile the regexp program. */
else if (varp == &(curwin->w_s->b_p_spc))
break;
if (p > q)
{
- vim_snprintf((char *)fname, 200, "spell/%.*s.vim", (int)(p - q), q);
+ vim_snprintf((char *)fname, 200, "spell/%.*s.vim",
+ (int)(p - q), q);
source_runtime(fname, DIP_ALL);
}
}
int set_term_option_alloced(char_u **p);
int was_set_insecurely(char_u *opt, int opt_flags);
void set_string_option_direct(char_u *name, int opt_idx, char_u *val, int opt_flags, int set_sid);
+int valid_spellang(char_u *val);
char *check_colorcolumn(win_T *wp);
char *check_stl_option(char_u *s);
void set_term_option_sctx_idx(char *name, int opt_idx);
/* Loop over comma separated language names. */
for (splp = spl_copy; *splp != NUL; )
{
- /* Get one language name. */
+ // Get one language name.
copy_option_part(&splp, lang, MAXWLEN, ",");
region = NULL;
len = (int)STRLEN(lang);
+ if (!valid_spellang(lang))
+ continue;
+
if (STRCMP(lang, "cjk") == 0)
{
wp->w_s->b_cjk = 1;
" Setting 'shell' to an invalid name causes a memory leak.
sandbox call assert_equal("", glob('Xxx\{'))
sandbox call assert_equal("", glob('Xxx\$'))
- w! Xxx{
+ w! Xxx\{
w! Xxx\$
sandbox call assert_equal("Xxx{", glob('Xxx\{'))
sandbox call assert_equal("Xxx$", glob('Xxx\$'))
set nospell spelllang=en
call assert_fails('spellinfo', 'E756:')
+ call assert_fails('set spelllang=foo/bar', 'E474:')
+ call assert_fails('set spelllang=foo\ bar', 'E474:')
+ call assert_fails("set spelllang=foo\\\nbar", 'E474:')
+ call assert_fails("set spelllang=foo\\\rbar", 'E474:')
+ call assert_fails("set spelllang=foo+bar", 'E474:')
+
set enc& spell& spelllang&
bwipe
endfunc
static int included_patches[] =
{ /* Add new patch number below this line */
+/**/
+ 1143,
/**/
1142,
/**/
projects / vim / commitdiff