patch 9.0.2070: [security] disallow setting env in restricted mode

Problem: [security] disallow setting env in restricted mode Solution: Setting environment variables in restricted mode could potentially be used to execute shell commands. Disallow this. restricted mode: disable allow setting of environment variables Setting environment variables in restricted mode, may have some unwanted consequences. So, for example by setting $GCONV_PATH in restricted mode and then calling the iconv() function, one may be able to execute some unwanted payload, because the `iconv_open()` function internally uses the `$GCONV_PATH` variable to find its conversion data. So let's disable setting environment variables, even so this is no complete protection, since we are not clearing the existing environment. I tried a few ways but wasn't successful :( One could also argue to disable the iconv() function completely in restricted mode, but who knows what other API functions can be influenced by setting some other unrelated environment variables. So let's leave it as it is currently. closes: #13394 See: https://huntr.com/bounties/b0a2eda1-459c-4e36-98e6-0cc7d7faccfe/ Signed-off-by: Christian Brabandt <cb@256bit.org>
2025-07-16 09:12:00 +00:00 · 2023-10-26 22:14:17 +02:00
parent 67ec655383
commit 6b89dd6a72
3 changed files with 12 additions and 4 deletions
--- a/runtime/doc/starting.txt
+++ b/runtime/doc/starting.txt
@ -1,4 +1,4 @@
-*starting.txt*  For Vim version 9.0.  Last change: 2023 Oct 17
+*starting.txt*  For Vim version 9.0.  Last change: 2023 Oct 20


 		  VIM REFERENCE MANUAL    by Bram Moolenaar
@ -249,10 +249,10 @@ a slash.  Thus "-R" means recovery and "-/R" readonly.
 					*-Z* *restricted-mode* *E145* *E981*
 -Z		Restricted mode.  All commands that make use of an external
 		shell are disabled.  This includes suspending with CTRL-Z,
-		":sh", filtering, the system() function, backtick expansion
+		":sh", filtering, the |system()| function, backtick expansion
 		and libcall().
-		Also disallowed are delete(), rename(), mkdir(), job_start(),
-		etc.
+		Also disallowed are |delete()|, |rename()|, |mkdir()|,
+		|job_start()|, |setenv()| etc.
 		Interfaces, such as Python, Ruby and Lua, are also disabled,
 		since they could be used to execute shell commands.  Perl uses
 		the Safe module.
--- a/src/evalfunc.c
+++ b/src/evalfunc.c
@ -9723,6 +9723,12 @@ f_setenv(typval_T *argvars, typval_T *rettv UNUSED)
    if (in_vim9script() && check_for_string_arg(argvars, 0) == FAIL)
 	return;

+    // seting an environment variable may be dangerous, e.g. you could
+    // setenv GCONV_PATH=/tmp and then have iconv() unexpectedly call
+    // a shell command using some shared library:
+    if (check_restricted() || check_secure())
+	return;
+
    name = tv_get_string_buf(&argvars[0], namebuf);
    if (argvars[1].v_type == VAR_SPECIAL
 				      && argvars[1].vval.v_number == VVAL_NULL)
--- a/src/version.c
+++ b/src/version.c
@ -704,6 +704,8 @@ static char *(features[]) =

 static int included_patches[] =
 {   /* Add new patch number below this line */
+/**/
+    2070,
 /**/
    2069,
 /**/