Commit: patch 9.2.0272: [security]: 'tabpanel' can be set in a modeline
67 views
Skip to first unread message
Christian Brabandt
Mar 30, 2026, 5:02:21 AMMar 30
to vim...@googlegroups.com
patch 9.2.0272: [security]: 'tabpanel' can be set in a modeline
Commit: https://github.com/vim/vim/commit/664701eb7576edb7c7c7d9f2d600815ec1f43459
Author: Christian Brabandt <c...@256bit.org>
Date: Mon Mar 30 08:20:43 2026 +0000
patch 9.2.0272: [security]: 'tabpanel' can be set in a modeline
Problem: 'tabpanel' can be set in a modeline
Solution: Set the P_MLE flag for the 'tabpanel' option, disable
autocmd_add()/autocomd_delete() functions in restricted/secure
mode.
Github Advisory:
https://github.com/vim/vim/security/advisories/GHSA-2gmj-rpqf-pxvh
Signed-off-by: Christian Brabandt <c...@256bit.org>
diff --git a/src/autocmd.c b/src/autocmd.c
index e6b6ecbe0..8fe51dc92 100644
--- a/src/autocmd.c
+++ b/src/autocmd.c
@@ -3061,6 +3061,9 @@ autocmd_add_or_delete(typval_T *argvars, typval_T *rettv, int delete)
rettv->v_type = VAR_BOOL;
rettv->vval.v_number = VVAL_FALSE;
+ if (check_restricted() || check_secure())
+ return;
+
if (check_for_list_arg(argvars, 0) == FAIL)
return;
diff --git a/src/optiondefs.h b/src/optiondefs.h
index 33d0a7110..ca2795a36 100644
--- a/src/optiondefs.h
+++ b/src/optiondefs.h
@@ -2578,7 +2578,7 @@ static struct vimoption options[] =
(char_u *)&p_tpm, PV_NONE, NULL, NULL,
{(char_u *)10L, (char_u *)0L} SCTX_INIT},
#if defined(FEAT_TABPANEL)
- {"tabpanel", "tpl", P_STRING|P_VI_DEF|P_RALL,
+ {"tabpanel", "tpl", P_STRING|P_VI_DEF|P_RALL|P_MLE,
(char_u *)&p_tpl, PV_NONE, NULL, NULL,
{(char_u *)"", (char_u *)0L} SCTX_INIT},
{"tabpanelopt","tplo", P_STRING|P_ALLOCED|P_VI_DEF|P_ONECOMMA|P_COLON
diff --git a/src/testdir/test_autocmd.vim b/src/testdir/test_autocmd.vim
index b18e29f05..592dd4715 100644
--- a/src/testdir/test_autocmd.vim
+++ b/src/testdir/test_autocmd.vim
@@ -5962,4 +5962,9 @@ func Test_SwapExists_b_nwindows()
%bw!
endfunc
+func Test_autocmd_add_secure()
+ call assert_fails('sandbox call autocmd_add([{"event": "BufRead", "cmd": "let x = 1"}])', 'E48:')
+ call assert_fails('sandbox call autocmd_delete([{"event": "BufRead"}])', 'E48:')
+endfunc
+
" vim: shiftwidth=2 sts=2 expandtab
diff --git a/src/testdir/test_tabpanel.vim b/src/testdir/test_tabpanel.vim
index 556cc3b83..4837a643d 100644
--- a/src/testdir/test_tabpanel.vim
+++ b/src/testdir/test_tabpanel.vim
@@ -872,4 +872,19 @@ function Test_tabpanel_showtabpanel_via_cmd_arg()
set showtabpanel& noruler&
endfunc
+func Test_tabpanel_no_modeline()
+ let _tpl = &tabpanel
+ let _mls = &modelineexpr
+
+ set nomodelineexpr
+ setlocal modeline
+ new
+ call writefile(['/* vim: set tabpanel=test: */'], 'Xtabpanel.txt', 'D')
+ call assert_fails(':e Xtabpanel.txt', 'E992:')
+
+ let &tabpanel = _tpl
+ let &modelineexpr = _mls
+ bw!
+endfunc
+
" vim: shiftwidth=2 sts=2 expandtab
diff --git a/src/version.c b/src/version.c
index 6c60c9dc2..7ea6b064f 100644
--- a/src/version.c
+++ b/src/version.c
@@ -734,6 +734,8 @@ static char *(features[]) =
static int included_patches[] =
{ /* Add new patch number below this line */
+/**/
+ 272,
/**/
271,
/**/
Commit: https://github.com/vim/vim/commit/664701eb7576edb7c7c7d9f2d600815ec1f43459
Author: Christian Brabandt <c...@256bit.org>
Date: Mon Mar 30 08:20:43 2026 +0000
patch 9.2.0272: [security]: 'tabpanel' can be set in a modeline
Problem: 'tabpanel' can be set in a modeline
Solution: Set the P_MLE flag for the 'tabpanel' option, disable
autocmd_add()/autocomd_delete() functions in restricted/secure
mode.
Github Advisory:
https://github.com/vim/vim/security/advisories/GHSA-2gmj-rpqf-pxvh
Signed-off-by: Christian Brabandt <c...@256bit.org>
diff --git a/src/autocmd.c b/src/autocmd.c
index e6b6ecbe0..8fe51dc92 100644
--- a/src/autocmd.c
+++ b/src/autocmd.c
@@ -3061,6 +3061,9 @@ autocmd_add_or_delete(typval_T *argvars, typval_T *rettv, int delete)
rettv->v_type = VAR_BOOL;
rettv->vval.v_number = VVAL_FALSE;
+ if (check_restricted() || check_secure())
+ return;
+
if (check_for_list_arg(argvars, 0) == FAIL)
return;
diff --git a/src/optiondefs.h b/src/optiondefs.h
index 33d0a7110..ca2795a36 100644
--- a/src/optiondefs.h
+++ b/src/optiondefs.h
@@ -2578,7 +2578,7 @@ static struct vimoption options[] =
(char_u *)&p_tpm, PV_NONE, NULL, NULL,
{(char_u *)10L, (char_u *)0L} SCTX_INIT},
#if defined(FEAT_TABPANEL)
- {"tabpanel", "tpl", P_STRING|P_VI_DEF|P_RALL,
+ {"tabpanel", "tpl", P_STRING|P_VI_DEF|P_RALL|P_MLE,
(char_u *)&p_tpl, PV_NONE, NULL, NULL,
{(char_u *)"", (char_u *)0L} SCTX_INIT},
{"tabpanelopt","tplo", P_STRING|P_ALLOCED|P_VI_DEF|P_ONECOMMA|P_COLON
diff --git a/src/testdir/test_autocmd.vim b/src/testdir/test_autocmd.vim
index b18e29f05..592dd4715 100644
--- a/src/testdir/test_autocmd.vim
+++ b/src/testdir/test_autocmd.vim
@@ -5962,4 +5962,9 @@ func Test_SwapExists_b_nwindows()
%bw!
endfunc
+func Test_autocmd_add_secure()
+ call assert_fails('sandbox call autocmd_add([{"event": "BufRead", "cmd": "let x = 1"}])', 'E48:')
+ call assert_fails('sandbox call autocmd_delete([{"event": "BufRead"}])', 'E48:')
+endfunc
+
" vim: shiftwidth=2 sts=2 expandtab
diff --git a/src/testdir/test_tabpanel.vim b/src/testdir/test_tabpanel.vim
index 556cc3b83..4837a643d 100644
--- a/src/testdir/test_tabpanel.vim
+++ b/src/testdir/test_tabpanel.vim
@@ -872,4 +872,19 @@ function Test_tabpanel_showtabpanel_via_cmd_arg()
set showtabpanel& noruler&
endfunc
+func Test_tabpanel_no_modeline()
+ let _tpl = &tabpanel
+ let _mls = &modelineexpr
+
+ set nomodelineexpr
+ setlocal modeline
+ new
+ call writefile(['/* vim: set tabpanel=test: */'], 'Xtabpanel.txt', 'D')
+ call assert_fails(':e Xtabpanel.txt', 'E992:')
+
+ let &tabpanel = _tpl
+ let &modelineexpr = _mls
+ bw!
+endfunc
+
" vim: shiftwidth=2 sts=2 expandtab
diff --git a/src/version.c b/src/version.c
index 6c60c9dc2..7ea6b064f 100644
--- a/src/version.c
+++ b/src/version.c
@@ -734,6 +734,8 @@ static char *(features[]) =
static int included_patches[] =
{ /* Add new patch number below this line */
+/**/
+ 272,
/**/
271,
/**/
Reply all
Reply to author
Forward
0 new messages