If file paths configured as g:ledger_bin or g:ledger_main (or expansion of % in the latter) contain special characters like |%#<cword>$*\ then something unexpected may happen during setting compiler or executing shell command.
I do not consider it as a real security issue since if an attacker may trick a user to get or to create a file with crafted file name then almost certainly the user may be convinced to execute arbitrary command.
It seems, most common case of space character in g:ledger_main file name has been fixed after several attempts, see 65ba66f, #161, #144, #122, #121, #119, #110.
Currently '\ -f\ '.substitute(shellescape(expand(b:ledger_main)), ' ', '\\ ', 'g') is used to create compiler command. See :help makeprg for a warning that more characters must be escaped for :set.
When :make is executed, some constructs are expanded in the makeprg value. They may appear during expand(b:ledger_main) that is % by default. This expansion pass may make earlier shellescape ineffective.
Try some funny file name like :e '/tmp/a \<cword> \ b\| \% c \# '' d \\\ e\$HOME\$something.ledger'.
It would be safer to use '\ -f %:S' in makeprg, but g:ledger_main is used in other contexts unrelated to shell, so setting g:ledger_main to %:S (tried earlier) is not an option.
I can not suggest a consistent approach how to allow users to safely set ledger_main (and ledger_bin)
- to a value derived from buffer name
%
- or to a literal where no characters may have special meaning
- or to a string with some substitutions that users may expect like
~/ or $HOME
Unsure if Vim script provides facilities to handle all these case in a way convenient for users and plugin developers.
In #144 (comment) I have tried to create a function that should escape its argument for exe 'CompilerSet makeprg='... I have no experience with Vim plugins, so I may miss some cases. That bug has been closed with scope limited to space characters.
If file paths configured as
g:ledger_binorg:ledger_main(or expansion of%in the latter) contain special characters like|%#<cword>$*\then something unexpected may happen during setting compiler or executing shell command.I do not consider it as a real security issue since if an attacker may trick a user to get or to create a file with crafted file name then almost certainly the user may be convinced to execute arbitrary command.
It seems, most common case of space character in
g:ledger_mainfile name has been fixed after several attempts, see 65ba66f, #161, #144, #122, #121, #119, #110.Currently
'\ -f\ '.substitute(shellescape(expand(b:ledger_main)), ' ', '\\ ', 'g')is used to create compiler command. See:help makeprgfor a warning that more characters must be escaped for:set.When
:makeis executed, some constructs are expanded in themakeprgvalue. They may appear duringexpand(b:ledger_main)that is%by default. This expansion pass may make earliershellescapeineffective.Try some funny file name like
:e '/tmp/a \<cword> \ b\| \% c \# '' d \\\ e\$HOME\$something.ledger'.It would be safer to use
'\ -f %:S'inmakeprg, butg:ledger_mainis used in other contexts unrelated to shell, so settingg:ledger_mainto%:S(tried earlier) is not an option.I can not suggest a consistent approach how to allow users to safely set
ledger_main(andledger_bin)%~/or$HOMEUnsure if Vim script provides facilities to handle all these case in a way convenient for users and plugin developers.
In #144 (comment) I have tried to create a function that should escape its argument for
exe 'CompilerSet makeprg='... I have no experience with Vim plugins, so I may miss some cases. That bug has been closed with scope limited to space characters.