Patch 7.0.234
Problem: It's possible to use feedkeys() from a modeline. That is a
security issue, can be used for a trojan horse.
Solution: Disallow using feedkeys() in the sandbox.
Files: src/eval.c
*** ../vim-7.0.233/src/eval.c Thu Apr 26 17:08:16 2007
--- src/eval.c Fri Apr 27 21:48:18 2007
***************
*** 9078,9083 ****
--- 9078,9089 ----
int typed = FALSE;
char_u *keys_esc;
+ /* This is not allowed in the sandbox. If the commands would still be
+ * executed in the sandbox it would be OK, but it probably happens later,
+ * when "sandbox" is no longer set. */
+ if (check_secure())
+ return;
+
rettv->vval.v_number = 0;
keys = get_tv_string(&argvars[0]);
if (*keys != NUL)
*** ../vim-7.0.233/src/version.c Thu Apr 26 18:42:17 2007
--- src/version.c Fri Apr 27 22:13:23 2007
***************
*** 668,669 ****
--- 668,671 ----
{ /* Add new patch number below this line */
+ /**/
+ 234,
/**/
--
"Making it up? Why should I want to make anything up? Life's bad enough
as it is without wanting to invent any more of it."
-- Marvin, the Paranoid Android in Douglas Adams'
"The Hitchhiker's Guide to the Galaxy"
/// Bram Moolenaar -- [EMAIL PROTECTED] -- http://www.Moolenaar.net \\\
/// sponsor Vim, vote for features -- http://www.Vim.org/sponsor/ \\\
\\\ download, build and distribute -- http://www.A-A-P.org ///
\\\ help me help AIDS victims -- http://ICCF-Holland.org ///
