Commit: patch 9.2.0561: [security]: possible code execution with python3complete
3 views
Skip to first unread message
Christian Brabandt
May 29, 2026, 3:15:12 PM (2 days ago) May 29
to vim...@googlegroups.com
patch 9.2.0561: [security]: possible code execution with python3complete
Commit: https://github.com/vim/vim/commit/4b850457e12e1a678dd209f2868154f7553cbf8d
Author: Christian Brabandt <c...@256bit.org>
Date: Fri May 29 19:05:53 2026 +0000
patch 9.2.0561: [security]: possible code execution with python3complete
Problem: [security]: possible code execution with python3complete
Solution: Disable execution of import/from statements
Github Security Advisory:
https://github.com/vim/vim/security/advisories/GHSA-52mc-rq6p-rc7c
Signed-off-by: Christian Brabandt <c...@256bit.org>
diff --git a/runtime/autoload/README.txt b/runtime/autoload/README.txt
index 3b18d3dde..b22581963 100644
--- a/runtime/autoload/README.txt
+++ b/runtime/autoload/README.txt
@@ -17,6 +17,7 @@ htmlcomplete.vim HTML
javascriptcomplete.vim Javascript
phpcomplete.vim PHP
pythoncomplete.vim Python
+python3complete.vim Python
rubycomplete.vim Ruby
syntaxcomplete.vim from syntax highlighting
xmlcomplete.vim XML (uses files in the xml directory)
diff --git a/runtime/autoload/python3complete.vim b/runtime/autoload/python3complete.vim
index 3e54433f4..2b6a65252 100644
--- a/runtime/autoload/python3complete.vim
+++ b/runtime/autoload/python3complete.vim
@@ -14,6 +14,10 @@
" i.e. "import url<c-x,c-o>"
" Continue parsing on invalid line??
"
+" v 0.10 by Vim project
+" * disables importing local modules, unless the global Vim variable
+" g:pythoncomplete_allow_import is set to non-zero
+"
" v 0.9
" * Fixed docstring parsing for classes and functions
" * Fixed parsing of *args and **kwargs type arguments
@@ -132,11 +136,20 @@ class Completer(object):
def evalsource(self,text,line=0):
sc = self.parser.parse(text,line)
+ try: allow_imports = int(
+ vim.eval("get(g:, 'pythoncomplete_allow_import', 0)"))
+ except Exception:
+ allow_imports = 0
src = sc.get_code()
dbg("source: %s" % src)
try: exec(src,self.compldict)
except: dbg("parser: %s, %s" % (sys.exc_info()[0],sys.exc_info()[1]))
for l in sc.locals:
+ # Executing import/from statements harvested from the buffer runs
+ # arbitrary package code; only do so when the user opted in.
+ if not allow_imports and (l.startswith('import')
+ or l.startswith('from ')):
+ continue
try: exec(l,self.compldict)
except: dbg("locals: %s, %s [%s]" % (sys.exc_info()[0],sys.exc_info()[1],l))
@@ -300,13 +313,11 @@ class Scope(object):
def get_code(self):
str = ""
if len(self.docstr) > 0: str += '"""'+self.docstr+'"""
'
- for l in self.locals:
- if l.startswith('import'): str += l+'
'
str += 'class _PyCmplNoType:
def __getattr__(self,name):
return None
'
for sub in self.subscopes:
str += sub.get_code()
for l in self.locals:
- if not l.startswith('import'): str += l+'
'
+ if not l.startswith('import') and not l.startswith('from '): str += l+'
'
return str
diff --git a/runtime/autoload/pythoncomplete.vim b/runtime/autoload/pythoncomplete.vim
index aa28bb721..10147767e 100644
--- a/runtime/autoload/pythoncomplete.vim
+++ b/runtime/autoload/pythoncomplete.vim
@@ -12,6 +12,10 @@
" i.e. "import url<c-x,c-o>"
" Continue parsing on invalid line??
"
+" v 0.10 by Vim project
+" * disables importing local modules, unless the global Vim variable
+" g:pythoncomplete_allow_import is set to non-zero
+"
" v 0.9
" * Fixed docstring parsing for classes and functions
" * Fixed parsing of *args and **kwargs type arguments
@@ -146,11 +150,20 @@ class Completer(object):
def evalsource(self,text,line=0):
sc = self.parser.parse(text,line)
+ try: allow_imports = int(
+ vim.eval("get(g:, 'pythoncomplete_allow_import', 0)"))
+ except Exception:
+ allow_imports = 0
src = sc.get_code()
dbg("source: %s" % src)
try: exec(src) in self.compldict
except: dbg("parser: %s, %s" % (sys.exc_info()[0],sys.exc_info()[1]))
for l in sc.locals:
+ # Executing import/from statements harvested from the buffer runs
+ # arbitrary package code; only do so when the user opted in.
+ if not allow_imports and (l.startswith('import')
+ or l.startswith('from ')):
+ continue
try: exec(l) in self.compldict
except: dbg("locals: %s, %s [%s]" % (sys.exc_info()[0],sys.exc_info()[1],l))
@@ -315,13 +328,11 @@ class Scope(object):
def get_code(self):
str = ""
if len(self.docstr) > 0: str += '"""'+self.docstr+'"""
'
- for l in self.locals:
- if l.startswith('import'): str += l+'
'
str += 'class _PyCmplNoType:
def __getattr__(self,name):
return None
'
for sub in self.subscopes:
str += sub.get_code()
for l in self.locals:
- if not l.startswith('import'): str += l+'
'
+ if not l.startswith('import') and not l.startswith('from '): str += l+'
'
return str
diff --git a/runtime/doc/filetype.txt b/runtime/doc/filetype.txt
index 80c3bb810..a9a0e9220 100644
--- a/runtime/doc/filetype.txt
+++ b/runtime/doc/filetype.txt
@@ -976,7 +976,20 @@ By default the following options are set, in accordance with PEP8: >
To disable this behavior, set the following variable in your vimrc: >
let g:python_recommended_style = 0
-
+<
+Python omni-completion |compl-omni| is provided by python3complete.vim (or
+pythoncomplete.vim) for Vim builds with the |+python|/|+python3| interpreter.
+By default it does not inspect the import / from statements found in the
+buffer. This means completion of names defined in the buffer itself (classes,
+functions, variables) works, but completion of members of imported modules is
+not offered.
+
+To enable completion of imported module members, set: >
+ let g:pythoncomplete_allow_import = 1
+<
+WARNING: enabling this causes omni-completion to execute the import statements
+found in the buffer through Python's import machinery, which runs the imported
+modules' top-level code. Only enable this for code you trust.
QF QUICKFIX *qf.vim* *ft-qf-plugin*
diff --git a/src/version.c b/src/version.c
index cb845499e..d7e0f590f 100644
--- a/src/version.c
+++ b/src/version.c
@@ -729,6 +729,8 @@ static char *(features[]) =
static int included_patches[] =
{ /* Add new patch number below this line */
+/**/
+ 561,
/**/
560,
/**/
Commit: https://github.com/vim/vim/commit/4b850457e12e1a678dd209f2868154f7553cbf8d
Author: Christian Brabandt <c...@256bit.org>
Date: Fri May 29 19:05:53 2026 +0000
patch 9.2.0561: [security]: possible code execution with python3complete
Problem: [security]: possible code execution with python3complete
Solution: Disable execution of import/from statements
Github Security Advisory:
https://github.com/vim/vim/security/advisories/GHSA-52mc-rq6p-rc7c
Signed-off-by: Christian Brabandt <c...@256bit.org>
diff --git a/runtime/autoload/README.txt b/runtime/autoload/README.txt
index 3b18d3dde..b22581963 100644
--- a/runtime/autoload/README.txt
+++ b/runtime/autoload/README.txt
@@ -17,6 +17,7 @@ htmlcomplete.vim HTML
javascriptcomplete.vim Javascript
phpcomplete.vim PHP
pythoncomplete.vim Python
+python3complete.vim Python
rubycomplete.vim Ruby
syntaxcomplete.vim from syntax highlighting
xmlcomplete.vim XML (uses files in the xml directory)
diff --git a/runtime/autoload/python3complete.vim b/runtime/autoload/python3complete.vim
index 3e54433f4..2b6a65252 100644
--- a/runtime/autoload/python3complete.vim
+++ b/runtime/autoload/python3complete.vim
@@ -14,6 +14,10 @@
" i.e. "import url<c-x,c-o>"
" Continue parsing on invalid line??
"
+" v 0.10 by Vim project
+" * disables importing local modules, unless the global Vim variable
+" g:pythoncomplete_allow_import is set to non-zero
+"
" v 0.9
" * Fixed docstring parsing for classes and functions
" * Fixed parsing of *args and **kwargs type arguments
@@ -132,11 +136,20 @@ class Completer(object):
def evalsource(self,text,line=0):
sc = self.parser.parse(text,line)
+ try: allow_imports = int(
+ vim.eval("get(g:, 'pythoncomplete_allow_import', 0)"))
+ except Exception:
+ allow_imports = 0
src = sc.get_code()
dbg("source: %s" % src)
try: exec(src,self.compldict)
except: dbg("parser: %s, %s" % (sys.exc_info()[0],sys.exc_info()[1]))
for l in sc.locals:
+ # Executing import/from statements harvested from the buffer runs
+ # arbitrary package code; only do so when the user opted in.
+ if not allow_imports and (l.startswith('import')
+ or l.startswith('from ')):
+ continue
try: exec(l,self.compldict)
except: dbg("locals: %s, %s [%s]" % (sys.exc_info()[0],sys.exc_info()[1],l))
@@ -300,13 +313,11 @@ class Scope(object):
def get_code(self):
str = ""
if len(self.docstr) > 0: str += '"""'+self.docstr+'"""
'
- for l in self.locals:
- if l.startswith('import'): str += l+'
'
str += 'class _PyCmplNoType:
def __getattr__(self,name):
return None
'
for sub in self.subscopes:
str += sub.get_code()
for l in self.locals:
- if not l.startswith('import'): str += l+'
'
+ if not l.startswith('import') and not l.startswith('from '): str += l+'
'
return str
diff --git a/runtime/autoload/pythoncomplete.vim b/runtime/autoload/pythoncomplete.vim
index aa28bb721..10147767e 100644
--- a/runtime/autoload/pythoncomplete.vim
+++ b/runtime/autoload/pythoncomplete.vim
@@ -12,6 +12,10 @@
" i.e. "import url<c-x,c-o>"
" Continue parsing on invalid line??
"
+" v 0.10 by Vim project
+" * disables importing local modules, unless the global Vim variable
+" g:pythoncomplete_allow_import is set to non-zero
+"
" v 0.9
" * Fixed docstring parsing for classes and functions
" * Fixed parsing of *args and **kwargs type arguments
@@ -146,11 +150,20 @@ class Completer(object):
def evalsource(self,text,line=0):
sc = self.parser.parse(text,line)
+ try: allow_imports = int(
+ vim.eval("get(g:, 'pythoncomplete_allow_import', 0)"))
+ except Exception:
+ allow_imports = 0
src = sc.get_code()
dbg("source: %s" % src)
try: exec(src) in self.compldict
except: dbg("parser: %s, %s" % (sys.exc_info()[0],sys.exc_info()[1]))
for l in sc.locals:
+ # Executing import/from statements harvested from the buffer runs
+ # arbitrary package code; only do so when the user opted in.
+ if not allow_imports and (l.startswith('import')
+ or l.startswith('from ')):
+ continue
try: exec(l) in self.compldict
except: dbg("locals: %s, %s [%s]" % (sys.exc_info()[0],sys.exc_info()[1],l))
@@ -315,13 +328,11 @@ class Scope(object):
def get_code(self):
str = ""
if len(self.docstr) > 0: str += '"""'+self.docstr+'"""
'
- for l in self.locals:
- if l.startswith('import'): str += l+'
'
str += 'class _PyCmplNoType:
def __getattr__(self,name):
return None
'
for sub in self.subscopes:
str += sub.get_code()
for l in self.locals:
- if not l.startswith('import'): str += l+'
'
+ if not l.startswith('import') and not l.startswith('from '): str += l+'
'
return str
diff --git a/runtime/doc/filetype.txt b/runtime/doc/filetype.txt
index 80c3bb810..a9a0e9220 100644
--- a/runtime/doc/filetype.txt
+++ b/runtime/doc/filetype.txt
@@ -976,7 +976,20 @@ By default the following options are set, in accordance with PEP8: >
To disable this behavior, set the following variable in your vimrc: >
let g:python_recommended_style = 0
-
+<
+Python omni-completion |compl-omni| is provided by python3complete.vim (or
+pythoncomplete.vim) for Vim builds with the |+python|/|+python3| interpreter.
+By default it does not inspect the import / from statements found in the
+buffer. This means completion of names defined in the buffer itself (classes,
+functions, variables) works, but completion of members of imported modules is
+not offered.
+
+To enable completion of imported module members, set: >
+ let g:pythoncomplete_allow_import = 1
+<
+WARNING: enabling this causes omni-completion to execute the import statements
+found in the buffer through Python's import machinery, which runs the imported
+modules' top-level code. Only enable this for code you trust.
QF QUICKFIX *qf.vim* *ft-qf-plugin*
diff --git a/src/version.c b/src/version.c
index cb845499e..d7e0f590f 100644
--- a/src/version.c
+++ b/src/version.c
@@ -729,6 +729,8 @@ static char *(features[]) =
static int included_patches[] =
{ /* Add new patch number below this line */
+/**/
+ 561,
/**/
560,
/**/
Reply all
Reply to author
Forward
0 new messages