Prevent insecure plugin names.

Plugins' names which contain '../', '$HOME', '%:h:h', '..\', etc.
can be dangerous.
Use a sensible whitelist for plugin names and prevent its expansion.
This commit is contained in:
Shahaf Arad 2015-03-13 20:00:47 +02:00
parent 34a307786b
commit 2506347586

View File

@ -97,6 +97,9 @@ funct! s:check_bundle_name(bundle)
\ ' previously used the name "' . a:bundle.name . '"' . \ ' previously used the name "' . a:bundle.name . '"' .
\ '. Skipping Plugin ' . a:bundle.name_spec . '.' \ '. Skipping Plugin ' . a:bundle.name_spec . '.'
return 0 return 0
elseif a:bundle.name !~ '\v^[A-Za-z0-9_-]%(\.?[A-Za-z0-9_-])*$'
echoerr 'Invalid plugin name: ' . a:bundle.name
return 0
endif endif
let s:bundle_names[a:bundle.name] = a:bundle.name_spec let s:bundle_names[a:bundle.name] = a:bundle.name_spec
return 1 return 1
@ -262,7 +265,7 @@ let s:bundle = {}
" return -- the target location to clone this bundle to " return -- the target location to clone this bundle to
" --------------------------------------------------------------------------- " ---------------------------------------------------------------------------
func! s:bundle.path() func! s:bundle.path()
return s:expand_path(g:vundle#bundle_dir.'/'.self.name) return s:expand_path(g:vundle#bundle_dir.'/') . self.name
endf endf