Commit: patch 9.2.0561: [security]: possible code execution with python3complete

Christian Brabandt Fri, 29 May 2026 12:15:12 -0700

patch 9.2.0561: [security]: possible code execution with python3complete

Commit: 
https://github.com/vim/vim/commit/4b850457e12e1a678dd209f2868154f7553cbf8d
Author: Christian Brabandt <[email protected]>
Date:   Fri May 29 19:05:53 2026 +0000


    patch 9.2.0561: [security]: possible code execution with python3complete
    
    Problem:  [security]: possible code execution with python3complete
    Solution: Disable execution of import/from statements
    
    Github Security Advisory:
    https://github.com/vim/vim/security/advisories/GHSA-52mc-rq6p-rc7c
    
    Signed-off-by: Christian Brabandt <[email protected]>

diff --git a/runtime/autoload/README.txt b/runtime/autoload/README.txt
index 3b18d3dde..b22581963 100644
--- a/runtime/autoload/README.txt
+++ b/runtime/autoload/README.txt
@@ -17,6 +17,7 @@ htmlcomplete.vim      HTML
 javascriptcomplete.vim  Javascript
 phpcomplete.vim                PHP
 pythoncomplete.vim     Python
+python3complete.vim Python
 rubycomplete.vim       Ruby
 syntaxcomplete.vim     from syntax highlighting
 xmlcomplete.vim                XML (uses files in the xml directory)
diff --git a/runtime/autoload/python3complete.vim 
b/runtime/autoload/python3complete.vim
index 3e54433f4..2b6a65252 100644
--- a/runtime/autoload/python3complete.vim
+++ b/runtime/autoload/python3complete.vim
@@ -14,6 +14,10 @@
 "   i.e. "import url<c-x,c-o>"
 " Continue parsing on invalid line??
 "
+" v 0.10 by Vim project
+"   * disables importing local modules, unless the global Vim variable
+"     g:pythoncomplete_allow_import is set to non-zero
+"
 " v 0.9
 "   * Fixed docstring parsing for classes and functions
 "   * Fixed parsing of *args and **kwargs type arguments
@@ -132,11 +136,20 @@ class Completer(object):
 
     def evalsource(self,text,line=0):
         sc = self.parser.parse(text,line)
+        try: allow_imports = int(
+          vim.eval("get(g:, 'pythoncomplete_allow_import', 0)"))
+        except Exception:
+          allow_imports = 0
         src = sc.get_code()
         dbg("source: %s" % src)
         try: exec(src,self.compldict)
         except: dbg("parser: %s, %s" % (sys.exc_info()[0],sys.exc_info()[1]))
         for l in sc.locals:
+            # Executing import/from statements harvested from the buffer runs
+            # arbitrary package code; only do so when the user opted in.
+            if not allow_imports and (l.startswith('import')
+                                            or l.startswith('from ')):
+                continue
             try: exec(l,self.compldict)
             except: dbg("locals: %s, %s [%s]" % 
(sys.exc_info()[0],sys.exc_info()[1],l))
 
@@ -300,13 +313,11 @@ class Scope(object):
     def get_code(self):
         str = ""
         if len(self.docstr) > 0: str += '"""'+self.docstr+'"""
'
-        for l in self.locals:
-            if l.startswith('import'): str += l+'
'
         str += 'class _PyCmplNoType:
    def __getattr__(self,name):
        return None
'
         for sub in self.subscopes:
             str += sub.get_code()
         for l in self.locals:
-            if not l.startswith('import'): str += l+'
'
+            if not l.startswith('import') and not l.startswith('from '): str 
+= l+'
'
 
         return str
 
diff --git a/runtime/autoload/pythoncomplete.vim 
b/runtime/autoload/pythoncomplete.vim
index aa28bb721..10147767e 100644
--- a/runtime/autoload/pythoncomplete.vim
+++ b/runtime/autoload/pythoncomplete.vim
@@ -12,6 +12,10 @@
 "   i.e. "import url<c-x,c-o>"
 " Continue parsing on invalid line??
 "
+" v 0.10 by Vim project
+"   * disables importing local modules, unless the global Vim variable
+"     g:pythoncomplete_allow_import is set to non-zero
+"
 " v 0.9
 "   * Fixed docstring parsing for classes and functions
 "   * Fixed parsing of *args and **kwargs type arguments
@@ -146,11 +150,20 @@ class Completer(object):
 
     def evalsource(self,text,line=0):
         sc = self.parser.parse(text,line)
+        try: allow_imports = int(
+          vim.eval("get(g:, 'pythoncomplete_allow_import', 0)"))
+        except Exception:
+          allow_imports = 0
         src = sc.get_code()
         dbg("source: %s" % src)
         try: exec(src) in self.compldict
         except: dbg("parser: %s, %s" % (sys.exc_info()[0],sys.exc_info()[1]))
         for l in sc.locals:
+            # Executing import/from statements harvested from the buffer runs
+            # arbitrary package code; only do so when the user opted in.
+            if not allow_imports and (l.startswith('import')
+                                            or l.startswith('from ')):
+                continue
             try: exec(l) in self.compldict
             except: dbg("locals: %s, %s [%s]" % 
(sys.exc_info()[0],sys.exc_info()[1],l))
 
@@ -315,13 +328,11 @@ class Scope(object):
     def get_code(self):
         str = ""
         if len(self.docstr) > 0: str += '"""'+self.docstr+'"""
'
-        for l in self.locals:
-            if l.startswith('import'): str += l+'
'
         str += 'class _PyCmplNoType:
    def __getattr__(self,name):
        return None
'
         for sub in self.subscopes:
             str += sub.get_code()
         for l in self.locals:
-            if not l.startswith('import'): str += l+'
'
+            if not l.startswith('import') and not l.startswith('from '): str 
+= l+'
'
 
         return str
 
diff --git a/runtime/doc/filetype.txt b/runtime/doc/filetype.txt
index 80c3bb810..a9a0e9220 100644
--- a/runtime/doc/filetype.txt
+++ b/runtime/doc/filetype.txt
@@ -976,7 +976,20 @@ By default the following options are set, in accordance 
with PEP8: >
 To disable this behavior, set the following variable in your vimrc: >
 
        let g:python_recommended_style = 0
-
+<
+Python omni-completion |compl-omni| is provided by python3complete.vim (or
+pythoncomplete.vim) for Vim builds with the |+python|/|+python3| interpreter.
+By default it does not inspect the import / from statements found in the
+buffer. This means completion of names defined in the buffer itself (classes,
+functions, variables) works, but completion of members of imported modules is
+not offered.
+
+To enable completion of imported module members, set: >
+       let g:pythoncomplete_allow_import = 1
+<
+WARNING: enabling this causes omni-completion to execute the import statements
+found in the buffer through Python's import machinery, which runs the imported
+modules' top-level code. Only enable this for code you trust.
 
 QF QUICKFIX                                        *qf.vim* *ft-qf-plugin*
 
diff --git a/src/version.c b/src/version.c
index cb845499e..d7e0f590f 100644
--- a/src/version.c
+++ b/src/version.c
@@ -729,6 +729,8 @@ static char *(features[]) =
 
 static int included_patches[] =
 {   /* Add new patch number below this line */
+/**/
+    561,
 /**/
     560,
 /**/

-- 
-- 
You received this message from the "vim_dev" maillist.
Do not top-post! Type your reply below the text you are replying to.
For more information, visit http://www.vim.org/maillist.php

--- 
You received this message because you are subscribed to the Google Groups 
"vim_dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to [email protected].
To view this discussion visit 
https://groups.google.com/d/msgid/vim_dev/E1wT2ff-00D7O1-US%40256bit.org.

Commit: patch 9.2.0561: [security]: possible code execution with python3complete

Raspunde prin e-mail lui