diff options
author | matveyt <matthewtarasov@gmail.com> | 2022-02-01 17:26:12 +0000 |
---|---|---|
committer | Bram Moolenaar <Bram@vim.org> | 2022-02-01 17:26:12 +0000 |
commit | adbb1bf21dad5697cd82d46d9dd9e8e8d0f647e6 (patch) | |
tree | 4d33ea62fadc04d671829e15a0b8edf130fcc8e3 | |
parent | 9b4a80a66544f2782040b641498754bcb5b8d461 (diff) | |
download | vim-git-adbb1bf21dad5697cd82d46d9dd9e8e8d0f647e6.tar.gz |
patch 8.2.4282: restricted mode requires the -Z command line optionv8.2.4282
Problem: Restricted mode requires the -Z command line option.
Solution: Use restricted mode when $SHELL ends in "nologin" or "false".
(closes #9681)
-rw-r--r-- | runtime/doc/starting.txt | 2 | ||||
-rw-r--r-- | src/option.c | 11 | ||||
-rw-r--r-- | src/testdir/test_restricted.vim | 8 | ||||
-rw-r--r-- | src/version.c | 2 |
4 files changed, 23 insertions, 0 deletions
diff --git a/runtime/doc/starting.txt b/runtime/doc/starting.txt index f56baf6bc..bca2f9704 100644 --- a/runtime/doc/starting.txt +++ b/runtime/doc/starting.txt @@ -256,6 +256,8 @@ a slash. Thus "-R" means recovery and "-/R" readonly. Interfaces, such as Python, Ruby and Lua, are also disabled, since they could be used to execute shell commands. Perl uses the Safe module. + For Unix restricted mode is used when the last part of $SHELL + is "nologin" or "false". Note that the user may still find a loophole to execute a shell command, it has only been made difficult. diff --git a/src/option.c b/src/option.c index 339ea4299..03274a432 100644 --- a/src/option.c +++ b/src/option.c @@ -307,6 +307,17 @@ set_init_1(int clean_arg) */ set_options_default(0); +#ifdef UNIX + // Force restricted-mode on for "nologin" or "false" $SHELL + p = get_isolated_shell_name(); + if (p != NULL) + { + if (fnamecmp(p, "nologin") == 0 || fnamecmp(p, "false") == 0) + restricted = TRUE; + vim_free(p); + } +#endif + #ifdef CLEAN_RUNTIMEPATH if (clean_arg) { diff --git a/src/testdir/test_restricted.vim b/src/testdir/test_restricted.vim index 22ca2f80c..f743fbf3e 100644 --- a/src/testdir/test_restricted.vim +++ b/src/testdir/test_restricted.vim @@ -105,6 +105,14 @@ func Test_restricted_mode() if RunVim([], [], '-Z --clean -S Xrestricted') call assert_equal([], readfile('Xresult')) endif + call delete('Xresult') + if has('unix') && RunVimPiped([], [], '--clean -S Xrestricted', 'SHELL=/bin/false ') + call assert_equal([], readfile('Xresult')) + endif + call delete('Xresult') + if has('unix') && RunVimPiped([], [], '--clean -S Xrestricted', 'SHELL=/sbin/nologin') + call assert_equal([], readfile('Xresult')) + endif call delete('Xrestricted') call delete('Xresult') diff --git a/src/version.c b/src/version.c index d8b3d4b7f..b96637f15 100644 --- a/src/version.c +++ b/src/version.c @@ -747,6 +747,8 @@ static char *(features[]) = static int included_patches[] = { /* Add new patch number below this line */ /**/ + 4282, +/**/ 4281, /**/ 4280, |