Vim 7.0 sandbox changes break a lot of my configuration

classic Classic list List threaded Threaded
13 messages Options
Reply | Threaded
Open this post in threaded view
|

Vim 7.0 sandbox changes break a lot of my configuration

G. Sumner Hayes
As of vim 7, apparently <C-R>= has been changed to run
things in the sandbox. Among other things, this
disallows using python extensions. This is breaking a
lot of my configuration (for instance, I map Tab to a
clevertab function that may do indentation or
completion or other things based on context).

On a related noted, the bexpr (balloon expression) is
also evaluated in the sandbox. It would be very nice
to be able to use embedded scripting languages from
bexpr (so that I could import Python modules and look
at the help strings, connect to debugger to get
values, etc).

It's somewhat sad for me since I was on the verge of
getting a pretty complete Python development
environment that has a lot of features found in modern
"big" IDEs but from within vim (on-the-fly
highlighting of syntax errors, debugger integration,
etc) and vim7 has some nice features on this front if
I can get it working (balloon help, undercurl
highlighting, omnicomplete).


               
__________________________________________
Yahoo! DSL – Something to write home about.
Just $16.99/mo. or less.
dsl.yahoo.com

Reply | Threaded
Open this post in threaded view
|

Re: Vim 7.0 sandbox changes break a lot of my configuration

Bram Moolenaar

G. Sumner Hayes wrote:

> As of vim 7, apparently <C-R>= has been changed to run
> things in the sandbox. Among other things, this
> disallows using python extensions. This is breaking a
> lot of my configuration (for instance, I map Tab to a
> clevertab function that may do indentation or
> completion or other things based on context).

I was wondering if someone had a problem with this.  I can't undo it
though, because allowing everything may cause lots of trouble.

The main thing is to disallow changing the current buffer or window
focus.  Also, changing the buffer text may cause trouble (e.g., deleting
lines so that the line the command line was started from is no longer
there).

Something like Python won't be a real problem.  Perhaps what should
apply is the rules that are used in the commandline window.  I'll have
to look into that.

> On a related noted, the bexpr (balloon expression) is
> also evaluated in the sandbox. It would be very nice
> to be able to use embedded scripting languages from
> bexpr (so that I could import Python modules and look
> at the help strings, connect to debugger to get
> values, etc).

The main reason is that 'balloonexpr' can be set in a modeline.  You
don't want options set in modeline to be used without the sandbox.  And
we can't disallow setting it from a modeline without dropping backwards
compatibility.

I can think of a solution, but it's not really simple: When
'balloonexpr' was set from an unsafe place, such as a modeline, then use
the sandbox.  When it was set from a safe place then the sandbox isn't
needed.

> It's somewhat sad for me since I was on the verge of
> getting a pretty complete Python development
> environment that has a lot of features found in modern
> "big" IDEs but from within vim (on-the-fly
> highlighting of syntax errors, debugger integration,
> etc) and vim7 has some nice features on this front if
> I can get it working (balloon help, undercurl
> highlighting, omnicomplete).

Sounds nice.  How about WxPython support? :-)

--
How To Keep A Healthy Level Of Insanity:
1. At lunch time, sit in your parked car with sunglasses on and point
   a hair dryer at passing cars. See if they slow down.

 /// Bram Moolenaar -- [hidden email] -- http://www.Moolenaar.net   \\\
///        sponsor Vim, vote for features -- http://www.Vim.org/sponsor/ \\\
\\\        download, build and distribute -- http://www.A-A-P.org        ///
 \\\            help me help AIDS victims -- http://www.ICCF.nl         ///
Reply | Threaded
Open this post in threaded view
|

Re: Vim 7.0 sandbox changes break a lot of my configuration

G. Sumner Hayes
Resurrecting an older topic, there were 2
sandbox-related things on the agenda that we talked
about a little.

1. Changing the <C-R> rules away from a strict sandbox
to allow python scripts, perhaps to the ones used in
the commandline window (this was the "C-R changes
break my older mappings" issue)
2. Looking at allowing bexpr to run non-sandbox
commands _if_ it wasn't set in a modeline (this is so
that bexpr could potentially get values from an
external debugger or somewhere via Python/Perl
extensions).

Are either of those things that you're actively
working on?  If not, I'd like to take a look at (2).
(1) seems like it's require more knowledge of vim
internals than I have at the moment.


               
__________________________________________
Yahoo! DSL – Something to write home about.
Just $16.99/mo. or less.
dsl.yahoo.com

Reply | Threaded
Open this post in threaded view
|

Re: Vim 7.0 sandbox changes break a lot of my configuration

Bram Moolenaar

G. Sumner Hayes wrote:

> Resurrecting an older topic, there were 2
> sandbox-related things on the agenda that we talked
> about a little.
>
> 1. Changing the <C-R> rules away from a strict sandbox
> to allow python scripts, perhaps to the ones used in
> the commandline window (this was the "C-R changes
> break my older mappings" issue)
> 2. Looking at allowing bexpr to run non-sandbox
> commands _if_ it wasn't set in a modeline (this is so
> that bexpr could potentially get values from an
> external debugger or somewhere via Python/Perl
> extensions).
>
> Are either of those things that you're actively
> working on?  If not, I'd like to take a look at (2).
> (1) seems like it's require more knowledge of vim
> internals than I have at the moment.

I'm currently doing something complicated with spell checking, I prefer
to concentrate on that and get it mostly finished before doing something
else.  So, please go ahead and look into these items.

--
Despite the cost of living, have you noticed how it remains so popular?

 /// Bram Moolenaar -- [hidden email] -- http://www.Moolenaar.net   \\\
///        sponsor Vim, vote for features -- http://www.Vim.org/sponsor/ \\\
\\\        download, build and distribute -- http://www.A-A-P.org        ///
 \\\            help me help AIDS victims -- http://www.ICCF.nl         ///
Reply | Threaded
Open this post in threaded view
|

Re: Vim 7.0 sandbox changes break a lot of my configuration

G. Sumner Hayes
Bram Moolenaar <[hidden email]> wrote:
> G. Sumner Hayes wrote:
> > 2. Looking at allowing bexpr to run non-sandbox
> > commands _if_ it wasn't set in a modeline (this is
> > so that bexpr could potentially get values from an
> > external debugger or somewhere via Python/Perl
> > extensions).

> So, please go ahead and look into these items.

Attached is a patch for this.  It's a
demonstration-of-concept, not ready for public use.

Essentially, I add a flag P_MODELINE to every option,
and a function was_set_modeline() that can be called
with the option name to find out whether it was set
from a modeline or not.

And I patch gui_bexpr.c to use this to figure out
whether or not to run in the sandbox.

In the future, other commands could do likewise.

The alternative would be to make this bexpr-specific
and just add a global bexpr_set_modeline flag that you
could test to see if it was set from a modeline or
not.  That saves the introduction of a new P_MODELINE
flag but makes this far less flexible.

Now, this doesn't actually look at which operation a
"set" is doing, so it's not quite right yet (just
doing a ":set option" will make it think the option
was set from a non-modeline).  But before I actually
flesh out that handling I want to know if this kind of
approach is reasonable.


               
__________________________________________
Yahoo! DSL – Something to write home about.
Just $16.99/mo. or less.
dsl.yahoo.com

Reply | Threaded
Open this post in threaded view
|

Re: Vim 7.0 sandbox changes break a lot of my configuration

G. Sumner Hayes
"G. Sumner Hayes" <[hidden email]> wrote:
> Attached is a patch for this.  It's a
> demonstration-of-concept, not ready for public use.

Oops, I guess an attachement would be handy.

Now it's attached.

>
> Essentially, I add a flag P_MODELINE to every
> option,
> and a function was_set_modeline() that can be called
> with the option name to find out whether it was set
> from a modeline or not.
>
> And I patch gui_bexpr.c to use this to figure out
> whether or not to run in the sandbox.
>
> In the future, other commands could do likewise.
>
> The alternative would be to make this bexpr-specific
> and just add a global bexpr_set_modeline flag that
> you
> could test to see if it was set from a modeline or
> not.  That saves the introduction of a new
> P_MODELINE flag but makes this far less flexible.
>
> Now, this doesn't actually look at which operation a
> "set" is doing, so it's not quite right yet (just
> doing a ":set option" will make it think the option
> was set from a non-modeline).  But before I actually
> flesh out that handling I want to know if this kind
> of approach is reasonable.


               
__________________________________________
Yahoo! DSL – Something to write home about.
Just $16.99/mo. or less.
dsl.yahoo.com

--- /home/sumner/src/vim2/src/gui_beval.c 2005-08-10 09:11:09.000000000 -0400
+++ /home/sumner/src/vim/src/gui_beval.c 2006-01-09 20:14:55.575084064 -0500
@@ -23,6 +23,7 @@
 {
     win_T *wp;
     int col;
+    int set_from_modeline;
     linenr_T lnum;
     char_u *text;
     static char_u  *result = NULL;
@@ -50,10 +51,11 @@
  set_vim_var_string(VV_BEVAL_TEXT, text, -1);
  vim_free(text);
 
- ++sandbox;
+        set_from_modeline = was_set_modeline("balloonexpr");
+        if(set_from_modeline) ++sandbox;
  vim_free(result);
  result = eval_to_string(p_bexpr, NULL);
- --sandbox;
+ if(set_from_modeline) --sandbox;
 
  set_vim_var_string(VV_BEVAL_TEXT, NULL, -1);
  if (result != NULL && result[0] != NUL)
--- /home/sumner/src/vim2/src/option.c 2005-12-12 13:50:27.000000000 -0500
+++ /home/sumner/src/vim/src/option.c 2006-01-09 20:11:53.364705335 -0500
@@ -317,6 +317,7 @@
 #define P_GETTEXT 0x80000L/* expand default value with _() */
 #define P_NOGLOB       0x100000L/* do not use local value for global vimrc */
 #define P_NFNAME       0x200000L/* only normal file name chars allowed */
+#define P_MODELINE     0x400000L/* Option was set from a modeline */
 
 /*
  * options[] is initialized here.
@@ -3796,6 +3797,14 @@
  errmsg = (char_u *)_("E520: Not allowed in a modeline");
  goto skip;
     }
+            else if ((opt_flags & OPT_MODELINE))
+            {
+                options[opt_idx].flags &= P_MODELINE;
+            }
+            else
+            {
+                options[opt_idx].flags ^= P_MODELINE;
+            }
 
     /* Skip all options that are not window-local (used when showing
      * an already loaded buffer in a window). */
@@ -4837,6 +4846,19 @@
     return; /* cannot happen: didn't find it! */
 }
 
+    int
+was_set_modeline(opt)
+        char_u *opt;
+{
+    int idx = findoption(opt);
+    if(idx>0)
+    {
+        int flags = options[idx].flags;
+        return flags & P_MODELINE;
+    }
+    return -1;
+}
+
 /*
  * Set a string option to a new value (without checking the effect).
  * The string is copied into allocated memory.
--- /home/sumner/src/vim2/src/option.h 2005-12-13 04:17:39.000000000 -0500
+++ /home/sumner/src/vim/src/option.h 2006-01-09 20:12:57.912436240 -0500
@@ -378,6 +378,7 @@
 EXTERN int clip_unnamed INIT(= FALSE);
 EXTERN int clip_autoselect INIT(= FALSE);
 EXTERN int clip_autoselectml INIT(= FALSE);
+EXTERN int was_set_modeline(char_u *opt);
 EXTERN regprog_T *clip_exclude_prog INIT(= NULL);
 #endif
 EXTERN long p_ch; /* 'cmdheight' */
Reply | Threaded
Open this post in threaded view
|

Re: Vim 7.0 sandbox changes break a lot of my configuration

Bram Moolenaar
In reply to this post by G. Sumner Hayes

G. Sumner Hayes wrote:

> Bram Moolenaar <[hidden email]> wrote:
> > G. Sumner Hayes wrote:
> > > 2. Looking at allowing bexpr to run non-sandbox
> > > commands _if_ it wasn't set in a modeline (this is
> > > so that bexpr could potentially get values from an
> > > external debugger or somewhere via Python/Perl
> > > extensions).
>
> > So, please go ahead and look into these items.
>
> Attached is a patch for this.  It's a
> demonstration-of-concept, not ready for public use.
>
> Essentially, I add a flag P_MODELINE to every option,
> and a function was_set_modeline() that can be called
> with the option name to find out whether it was set
> from a modeline or not.
>
> And I patch gui_bexpr.c to use this to figure out
> whether or not to run in the sandbox.

After a brief look it appears to be OK.  Perhaps instead of P_MODELINE a
more generic flag could be used, such as P_UNSAFE.  It's probably also
to be used when "secure" is set (using a .vimrc in a local directory).

> In the future, other commands could do likewise.
>
> The alternative would be to make this bexpr-specific
> and just add a global bexpr_set_modeline flag that you
> could test to see if it was set from a modeline or
> not.  That saves the introduction of a new P_MODELINE
> flag but makes this far less flexible.

I think the generic solution is good, it doesn't require much overhead
and it's likely to be useful for other purposes.

> Now, this doesn't actually look at which operation a
> "set" is doing, so it's not quite right yet (just
> doing a ":set option" will make it think the option
> was set from a non-modeline).  But before I actually
> flesh out that handling I want to know if this kind of
> approach is reasonable.

Searching for P_SECURE in option.c will find other potential places to
do this.  Perhaps this code can be cleaned up a bit (it has been changed
quite a few times now).

--
Latest survey shows that 3 out of 4 people make up 75% of the
world's population.

 /// Bram Moolenaar -- [hidden email] -- http://www.Moolenaar.net   \\\
///        sponsor Vim, vote for features -- http://www.Vim.org/sponsor/ \\\
\\\        download, build and distribute -- http://www.A-A-P.org        ///
 \\\            help me help AIDS victims -- http://www.ICCF.nl         ///
Reply | Threaded
Open this post in threaded view
|

Re: Vim 7.0 sandbox changes break a lot of my configuration

G. Sumner Hayes
Bram Moolenaar <[hidden email]> wrote:
> G. Sumner Hayes wrote:
> > Attached is a patch for this.  It's a
> > demonstration-of-concept, not ready for public
>
> After a brief look it appears to be OK.  Perhaps
> instead of P_MODELINE a more generic flag could
> be used, such as P_UNSAFE. It's probably also
> to be used when "secure" is set (using a .vimrc in a
> local directory).

Thanks, Bram.  I'll rename and take a shot at a real
(production worthy) patch along these lines.

Sumner

__________________________________________________
Do You Yahoo!?
Tired of spam?  Yahoo! Mail has the best spam protection around
http://mail.yahoo.com 
Reply | Threaded
Open this post in threaded view
|

[PATCH] Allow bexpr outside sandbox if not set from modeline

G. Sumner Hayes
As discussed, this adds a P_INSECURE flag to options.
It does not yet set that flag for secure files, only
for modelines, so you shouldn't use this in production
yet (I'm looking at that next).

The flag is set whenever an option is set from a
modeline.
The flag is unset whenever (a) the option is set from
outside a modeline and (b) adding, prepending, and
removing aren't true (so the option is being set from
scratch and not just altering a possibly unsafe
option).

It seems to work, but for for some reason although it
is generating errors correctly it's not printing the
full error message.  After staring at it for a while I
can't figure out why--any ideas?

Try testing with a bexpr that calls a sandbox-unsafe
function--set  by hand/vimrc it works fine, set from a
modeline it errors out but doesn't print the full
error message.

Thanks for your time,

Sumner

__________________________________________________
Do You Yahoo!?
Tired of spam?  Yahoo! Mail has the best spam protection around
http://mail.yahoo.com 
--- /home/sumner/src/vim2/src/option.h 2005-12-13 04:17:39.000000000 -0500
+++ src/option.h 2006-01-11 14:55:27.853250806 -0500
@@ -378,6 +378,7 @@
 EXTERN int clip_unnamed INIT(= FALSE);
 EXTERN int clip_autoselect INIT(= FALSE);
 EXTERN int clip_autoselectml INIT(= FALSE);
+EXTERN int was_set_insecurely(char_u *opt);
 EXTERN regprog_T *clip_exclude_prog INIT(= NULL);
 #endif
 EXTERN long p_ch; /* 'cmdheight' */
--- /home/sumner/src/vim2/src/option.c 2005-12-12 13:50:27.000000000 -0500
+++ src/option.c 2006-01-11 16:16:30.903099726 -0500
@@ -317,6 +317,7 @@
 #define P_GETTEXT 0x80000L/* expand default value with _() */
 #define P_NOGLOB       0x100000L/* do not use local value for global vimrc */
 #define P_NFNAME       0x200000L/* only normal file name chars allowed */
+#define P_INSECURE     0x400000L/* Option was set from a modeline */
 
 /*
  * options[] is initialized here.
@@ -3796,6 +3797,10 @@
  errmsg = (char_u *)_("E520: Not allowed in a modeline");
  goto skip;
     }
+            if ((opt_flags & OPT_MODELINE))
+            {
+                options[opt_idx].flags = flags | P_INSECURE;
+            }
 
     /* Skip all options that are not window-local (used when showing
      * an already loaded buffer in a window). */
@@ -4343,8 +4348,14 @@
  redraw_all_later(CLEAR);
     }
  }
- if (opt_idx >= 0)
+ if (opt_idx >= 0)
+                {
     options[opt_idx].flags |= P_WAS_SET;
+                    if (!prepending && !adding && !removing && !(opt_flags & OPT_MODELINE))
+                    {
+                        options[opt_idx].flags = flags ^ P_INSECURE;
+                    }
+                }
     }
 
 skip:
@@ -4837,6 +4848,19 @@
     return; /* cannot happen: didn't find it! */
 }
 
+    int
+was_set_insecurely(opt)
+        char_u *opt;
+{
+    int idx = findoption(opt);
+    if(idx>3)
+    {
+        int flags = options[idx].flags;
+        return (flags & P_INSECURE) != 0;
+    }
+    return -1;
+}
+
 /*
  * Set a string option to a new value (without checking the effect).
  * The string is copied into allocated memory.
--- /home/sumner/src/vim2/src/gui_beval.c 2005-08-10 09:11:09.000000000 -0400
+++ src/gui_beval.c 2006-01-11 16:14:45.210934376 -0500
@@ -23,6 +23,7 @@
 {
     win_T *wp;
     int col;
+    int set_insecurely;
     linenr_T lnum;
     char_u *text;
     static char_u  *result = NULL;
@@ -50,10 +51,11 @@
  set_vim_var_string(VV_BEVAL_TEXT, text, -1);
  vim_free(text);
 
- ++sandbox;
+        set_insecurely = was_set_insecurely("balloonexpr");
+        if(set_insecurely) ++sandbox;
  vim_free(result);
  result = eval_to_string(p_bexpr, NULL);
- --sandbox;
+ if(set_insecurely) --sandbox;
 
  set_vim_var_string(VV_BEVAL_TEXT, NULL, -1);
  if (result != NULL && result[0] != NUL)
Reply | Threaded
Open this post in threaded view
|

Re: [PATCH] Allow bexpr outside sandbox if not set from modeline

Bram Moolenaar

G. Sumner Hayes wrote:

> As discussed, this adds a P_INSECURE flag to options.
> It does not yet set that flag for secure files, only
> for modelines, so you shouldn't use this in production
> yet (I'm looking at that next).
>
> The flag is set whenever an option is set from a modeline.
> The flag is unset whenever (a) the option is set from
> outside a modeline and (b) adding, prepending, and
> removing aren't true (so the option is being set from
> scratch and not just altering a possibly unsafe
> option).
>
> It seems to work, but for for some reason although it
> is generating errors correctly it's not printing the
> full error message.  After staring at it for a while I
> can't figure out why--any ideas?
>
> Try testing with a bexpr that calls a sandbox-unsafe
> function--set  by hand/vimrc it works fine, set from a
> modeline it errors out but doesn't print the full
> error message.

Doesn't the same happen without the patch?  It seems you only change the
way "sandbox" is set or not.

The balloonexpression is triggered from somewhere deep down in the event
loop, that probably matters.  And it depends on what system you are.

--
Q: What is a patch 22?
A: A patch you need to include to make it possible to include patches.

 /// Bram Moolenaar -- [hidden email] -- http://www.Moolenaar.net   \\\
///        sponsor Vim, vote for features -- http://www.Vim.org/sponsor/ \\\
\\\        download, build and distribute -- http://www.A-A-P.org        ///
 \\\            help me help AIDS victims -- http://www.ICCF.nl         ///
Reply | Threaded
Open this post in threaded view
|

[PATCH] [BETA ready] Allow bexpr outside sandbox if not set from modeline

G. Sumner Hayes
Bram Moolenaar <[hidden email]> wrote:
> Sumner wrote:
> > it errors out but doesn't print the full
> > error message.
>
> Doesn't the same happen without the patch?  It seems
> you only change the way "sandbox" is set or not.

Yes, you're right.  Sorry for missing that.

I think the patch attached to this message is now
feature-complete and ready for beta-testing/inclusion.

In addition to flagging P_INSECURE if the option was
set from a modeline, it also sets the P_INSECURE flag
if the global "secure" is set when the option is being
set.

A documentation patch is included noting:
"If the bexpr was set from a possibly insecure
location (per-directory .vimrc/.exrc, or from a
modeline) then bexpr is evaluated in the |sandbox|.
If it was set by hand or from the standard
.vimrc/.exrc, then it is not evaluated in the
sandbox."

Thanks for your time,

Sumner

__________________________________________________
Do You Yahoo!?
Tired of spam?  Yahoo! Mail has the best spam protection around
http://mail.yahoo.com 
--- /home/sumner/src/vim2/src/option.h 2005-12-13 04:17:39.000000000 -0500
+++ src/option.h 2006-01-11 14:55:27.000000000 -0500
@@ -378,6 +378,7 @@
 EXTERN int clip_unnamed INIT(= FALSE);
 EXTERN int clip_autoselect INIT(= FALSE);
 EXTERN int clip_autoselectml INIT(= FALSE);
+EXTERN int was_set_insecurely(char_u *opt);
 EXTERN regprog_T *clip_exclude_prog INIT(= NULL);
 #endif
 EXTERN long p_ch; /* 'cmdheight' */
--- /home/sumner/src/vim2/src/option.c 2005-12-12 13:50:27.000000000 -0500
+++ src/option.c 2006-01-12 13:48:37.956015281 -0500
@@ -317,6 +317,7 @@
 #define P_GETTEXT 0x80000L/* expand default value with _() */
 #define P_NOGLOB       0x100000L/* do not use local value for global vimrc */
 #define P_NFNAME       0x200000L/* only normal file name chars allowed */
+#define P_INSECURE     0x400000L/* Option was set from a modeline */
 
 /*
  * options[] is initialized here.
@@ -3796,6 +3797,10 @@
  errmsg = (char_u *)_("E520: Not allowed in a modeline");
  goto skip;
     }
+            if (secure || (opt_flags & OPT_MODELINE))
+            {
+                options[opt_idx].flags = flags | P_INSECURE;
+            }
 
     /* Skip all options that are not window-local (used when showing
      * an already loaded buffer in a window). */
@@ -4343,8 +4348,14 @@
  redraw_all_later(CLEAR);
     }
  }
- if (opt_idx >= 0)
+ if (opt_idx >= 0)
+                {
     options[opt_idx].flags |= P_WAS_SET;
+                    if (!prepending && !adding && !removing && !(opt_flags & OPT_MODELINE))
+                    {
+                        options[opt_idx].flags = flags ^ P_INSECURE;
+                    }
+                }
     }
 
 skip:
@@ -4837,6 +4848,19 @@
     return; /* cannot happen: didn't find it! */
 }
 
+    int
+was_set_insecurely(opt)
+        char_u *opt;
+{
+    int idx = findoption(opt);
+    if(idx>3)
+    {
+        int flags = options[idx].flags;
+        return (flags & P_INSECURE) != 0;
+    }
+    return -1;
+}
+
 /*
  * Set a string option to a new value (without checking the effect).
  * The string is copied into allocated memory.
--- /home/sumner/src/vim2/src/gui_beval.c 2005-08-10 09:11:09.000000000 -0400
+++ src/gui_beval.c 2006-01-11 16:14:45.000000000 -0500
@@ -23,6 +23,7 @@
 {
     win_T *wp;
     int col;
+    int set_insecurely;
     linenr_T lnum;
     char_u *text;
     static char_u  *result = NULL;
@@ -50,10 +51,11 @@
  set_vim_var_string(VV_BEVAL_TEXT, text, -1);
  vim_free(text);
 
- ++sandbox;
+        set_insecurely = was_set_insecurely("balloonexpr");
+        if(set_insecurely) ++sandbox;
  vim_free(result);
  result = eval_to_string(p_bexpr, NULL);
- --sandbox;
+ if(set_insecurely) --sandbox;
 
  set_vim_var_string(VV_BEVAL_TEXT, NULL, -1);
  if (result != NULL && result[0] != NUL)
--- /home/sumner/src/vim2/runtime/doc/options.txt 2005-12-29 13:27:41.000000000 -0500
+++ runtime/doc/options.txt 2006-01-12 13:54:02.957447993 -0500
@@ -1037,6 +1037,11 @@
  Vim does not try to send a message to an external debugger (Netbeans
  or Sun Workshop).
 
+        If the bexpr was set from a possibly insecure location (per-directory
+        .vimrc/.exrc, or from a modeline) then bexpr is evaluated in the
+        |sandbox|.  If it was set by hand or from the standard .vimrc/.exrc,
+        then it is not evaluated in the sandbox.
+
  To check whether line breaks in the balloon text work use this check: >
  if has("balloon_multiline")
 <
Reply | Threaded
Open this post in threaded view
|

RE: [PATCH] [BETA ready] Allow bexpr outside sandbox if not set from modeline

Halim, Salman
In reply to this post by G. Sumner Hayes
This seems like a very good idea:  determining the permission level of
an option based on where it was set.  Any resaon why this shouldn't be
extended to the other sandbox options?  From :help sandbox, 'foldexpr',
'includeexpr', 'indentexpr', 'statusline' and 'foldtext'.  Admittedly, I
can't think of an example where I would use this immediately, but it
shouldn't be difficult to implement, especially since it won't break
existing functionality...  (Expressions that are sandbox-safe should
continue to execute just fine in a non-sandbox environment.)

Salman.

> -----Original Message-----
> From: G. Sumner Hayes [mailto:[hidden email]]
> Sent: Thursday, January 12, 2006 1:59 PM
> To: Bram Moolenaar
> Cc: [hidden email]
> Subject: [PATCH] [BETA ready] Allow bexpr outside sandbox if
> not set from modeline
>
> Bram Moolenaar <[hidden email]> wrote:
> > Sumner wrote:
> > > it errors out but doesn't print the full error message.
> >
> > Doesn't the same happen without the patch?  It seems you
> only change
> > the way "sandbox" is set or not.
>
> Yes, you're right.  Sorry for missing that.
>
> I think the patch attached to this message is now
> feature-complete and ready for beta-testing/inclusion.
>
> In addition to flagging P_INSECURE if the option was set from
> a modeline, it also sets the P_INSECURE flag if the global
> "secure" is set when the option is being set.
>
> A documentation patch is included noting:
> "If the bexpr was set from a possibly insecure location
> (per-directory .vimrc/.exrc, or from a
> modeline) then bexpr is evaluated in the |sandbox|.
> If it was set by hand or from the standard .vimrc/.exrc, then
> it is not evaluated in the sandbox."
>
> Thanks for your time,
>
> Sumner
>
> __________________________________________________
> Do You Yahoo!?
> Tired of spam?  Yahoo! Mail has the best spam protection
> around http://mail.yahoo.com 
>
Reply | Threaded
Open this post in threaded view
|

[PATCH] [untested] Allow other options outside sandbox if not set from modeline

G. Sumner Hayes
"Halim, Salman" <[hidden email]> wrote:
> This seems like a very good idea:  determining the
> permission level of an option based on where it
> was set.  Any resaon why this shouldn't be
> extended to the other sandbox options?  From :help
> sandbox, 'foldexpr', 'includeexpr', 'indentexpr',
>'statusline' and 'foldtext'.

No reason.  Bram and I discussed it on the list in the
thread while the patch was being developed and picked
this approach because it could apply to other options
as well.

If this patch is included, supporting those options
should be straightforward (just look at the
gui_bexpr.c portion of the patch and do similar things
for them).

In fact, here's an untested patch to do that.  

Are you testing 7.0 releases?  If you feel like being
super helpful, you could:
1) apply the other patch
2) apply this patch
3) test each option with a value that is
sandbox-unsafe, setting it alternately from the .vimrc
and a modeline/local vimrc
4) update the documentation for each option.

If not, I'll probably get around to testing it later
this week.

Even just testing without doc updates would be very
helpful.  

I'm especially interested in getting testing for the
includeexpr, foldtext, or statusline options since
those use a different mechanism from the one used by
balloonexpr, foldexpr, and indentexpr.

Sumner

__________________________________________________
Do You Yahoo!?
Tired of spam?  Yahoo! Mail has the best spam protection around
http://mail.yahoo.com 
--- /home/sumner/src/vim2/src/eval.c 2005-12-20 04:33:37.000000000 -0500
+++ /home/sumner/src/vim/src/eval.c 2006-01-12 15:11:25.662799146 -0500
@@ -1568,9 +1568,11 @@
     typval_T tv;
     int retval;
     char_u *s;
+    int set_insecurely;
 
     ++emsg_off;
-    ++sandbox;
+    set_insecurely = was_set_insecurely("foldexpr");
+    if(set_insecurely) ++sandbox;
     *cp = NUL;
     if (eval0(arg, &tv, NULL, TRUE) == FAIL)
  retval = 0;
@@ -1593,7 +1595,7 @@
  clear_tv(&tv);
     }
     --emsg_off;
-    --sandbox;
+    if(set_insecurely) --sandbox;
 
     return retval;
 }
--- /home/sumner/src/vim2/src/window.c 2005-12-12 08:43:12.000000000 -0500
+++ /home/sumner/src/vim/src/window.c 2006-01-12 15:18:02.032578215 -0500
@@ -4636,9 +4636,14 @@
     int len;
 {
     char_u *res;
+    int set_insecurely;
 
+    set_insecurely = was_set_insecurely("includeexpr");
     set_vim_var_string(VV_FNAME, ptr, len);
-    res = eval_to_string_safe(curbuf->b_p_inex, NULL);
+    if(set_insecurely)
+        res = eval_to_string_safe(curbuf->b_p_inex, NULL);
+    else
+        res = eval_to_string(curbuf->b_p_inex, NULL);
     set_vim_var_string(VV_FNAME, NULL, 0);
     return res;
 }
--- /home/sumner/src/vim2/src/fold.c 2005-08-10 09:24:35.000000000 -0400
+++ /home/sumner/src/vim/src/fold.c 2006-01-12 15:17:36.128531457 -0500
@@ -1938,7 +1938,10 @@
  curbuf = wp->w_buffer;
 
  ++emsg_off;
- text = eval_to_string_safe(wp->w_p_fdt, NULL);
+        if (was_set_insecurely("foldtext"))
+    text = eval_to_string_safe(wp->w_p_fdt, NULL);
+        else
+            text = eval_to_string(wp->w_p_fdt, NULL);
  --emsg_off;
 
  curwin = save_curwin;
--- /home/sumner/src/vim2/src/misc1.c 2005-12-19 16:13:23.000000000 -0500
+++ /home/sumner/src/vim/src/misc1.c 2006-01-12 15:10:16.604685092 -0500
@@ -7671,12 +7671,14 @@
     int indent;
     pos_T pos;
     int save_State;
+    int set_insecurely;
 
     pos = curwin->w_cursor;
     set_vim_var_nr(VV_LNUM, curwin->w_cursor.lnum);
-    ++sandbox;
+    set_insecurely = was_set_insecurely("indentexpr");
+    if(set_insecurely) ++sandbox;
     indent = eval_to_number(curbuf->b_p_inde);
-    --sandbox;
+    if(set_insecurely) --sandbox;
 
     /* Restore the cursor position so that 'indentexpr' doesn't need to.
      * Pretend to be in Insert mode, allow cursor past end of line for "o"
--- /home/sumner/src/vim2/src/buffer.c 2005-12-15 05:35:30.000000000 -0500
+++ /home/sumner/src/vim/src/buffer.c 2006-01-12 15:30:09.624736741 -0500
@@ -3503,7 +3503,10 @@
     curwin = wp;
     curbuf = wp->w_buffer;
 
-    str = eval_to_string_safe(p, &t);
+            if(was_set_insecurely("statusline"))
+        str = eval_to_string_safe(p, &t);
+            else
+                str = eval_to_string(p, &t);
 
     curwin = o_curwin;
     curbuf = o_curbuf;