To: vim_dev@googlegroups.com
Subject: Patch 8.2.4282
Fcc: outbox
From: Bram Moolenaar <Bram@moolenaar.net>
Mime-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
------------

Patch 8.2.4282
Problem:    Restricted mode requires the -Z command line option.
Solution:   Use restricted mode when $SHELL ends in "nologin" or "false".
            (closes #9681)
Files:      runtime/doc/starting.txt, src/option.c,
            src/testdir/test_restricted.vim


*** ../vim-8.2.4281/runtime/doc/starting.txt	2021-05-29 18:53:46.455055663 +0100
--- runtime/doc/starting.txt	2022-02-01 17:23:57.358435792 +0000
***************
*** 256,261 ****
--- 256,263 ----
  		Interfaces, such as Python, Ruby and Lua, are also disabled,
  		since they could be used to execute shell commands.  Perl uses
  		the Safe module.
+ 		For Unix restricted mode is used when the last part of $SHELL
+ 		is "nologin" or "false".
  		Note that the user may still find a loophole to execute a
  		shell command, it has only been made difficult.
  
*** ../vim-8.2.4281/src/option.c	2022-01-31 14:59:33.518943700 +0000
--- src/option.c	2022-02-01 17:17:15.275300416 +0000
***************
*** 307,312 ****
--- 307,323 ----
       */
      set_options_default(0);
  
+ #ifdef UNIX
+     // Force restricted-mode on for "nologin" or "false" $SHELL
+     p = get_isolated_shell_name();
+     if (p != NULL)
+     {
+ 	if (fnamecmp(p, "nologin") == 0 || fnamecmp(p, "false") == 0)
+ 	    restricted = TRUE;
+ 	vim_free(p);
+     }
+ #endif
+ 
  #ifdef CLEAN_RUNTIMEPATH
      if (clean_arg)
      {
*** ../vim-8.2.4281/src/testdir/test_restricted.vim	2020-03-30 18:36:42.851754324 +0100
--- src/testdir/test_restricted.vim	2022-02-01 17:22:29.774654429 +0000
***************
*** 105,110 ****
--- 105,118 ----
    if RunVim([], [], '-Z --clean -S Xrestricted')
      call assert_equal([], readfile('Xresult'))
    endif
+   call delete('Xresult')
+   if has('unix') && RunVimPiped([], [], '--clean -S Xrestricted', 'SHELL=/bin/false ')
+     call assert_equal([], readfile('Xresult'))
+   endif
+   call delete('Xresult')
+   if has('unix') && RunVimPiped([], [], '--clean -S Xrestricted', 'SHELL=/sbin/nologin')
+     call assert_equal([], readfile('Xresult'))
+   endif
  
    call delete('Xrestricted')
    call delete('Xresult')
*** ../vim-8.2.4281/src/version.c	2022-02-01 13:54:11.651302024 +0000
--- src/version.c	2022-02-01 17:24:13.534396192 +0000
***************
*** 748,749 ****
--- 748,751 ----
  {   /* Add new patch number below this line */
+ /**/
+     4282,
  /**/

-- 
Team-building exercises come in many forms but they all trace their roots back
to the prison system.  In your typical team-building exercise the employees
are subjected to a variety of unpleasant situations until they become either a
cohesive team or a ring of car jackers.
				(Scott Adams - The Dilbert principle)

 /// Bram Moolenaar -- Bram@Moolenaar.net -- http://www.Moolenaar.net   \\\
///                                                                      \\\
\\\        sponsor Vim, vote for features -- http://www.Vim.org/sponsor/ ///
 \\\            help me help AIDS victims -- http://ICCF-Holland.org    ///