Security: disable the perl checker by default.

This commit is contained in:
LCD 47 2014-03-03 09:43:14 +02:00
parent e677e0655e
commit c18065ea52
3 changed files with 39 additions and 19 deletions

View File

@ -123,20 +123,18 @@ error output for a syntax checker may have changed. In this case, make sure you
have the latest version of the syntax checker installed. If it still fails then have the latest version of the syntax checker installed. If it still fails then
create an issue - or better yet, create a pull request. create an issue - or better yet, create a pull request.
__Q. Recently some of my syntax checker options have stopped working...__ __Q. The `perl` checker has stopped working...__
A. The options are still there, they have just been renamed. Recently, A. The `perl` checker runs `perl -c` against your file, which in turn
almost all syntax checkers were refactored to use the new `makeprgBuild()` __executes__ any `BEGIN`, `UNITCHECK`, and `CHECK` blocks, and any `use`
function. This made a lot of the old explicit options redundant - as they are statements in your file (cf. [perlrun][10]). This is probably fine if you
now implied. The new implied options usually have slightly different names to wrote the file yourself, but it's a security hazard if you're checking third
the old options. party files. Since there is currently no way to disable this behaviour while
still producing useful results, the checker is now disabled by default. To
e.g. Previously there was `g:syntastic_phpcs_conf`, now you must use (re-)enable it, set `g:syntastic_enable_perl_checker` to 1 in your vimrc:
`g:syntastic_php_phpcs_args`. This completely overrides the arguments of ```vim
the checker, including any defaults, so you may need to look up the default let g:syntastic_enable_perl_checker = 1
arguments of the checker and add these in. ```
See `:help syntastic-checker-options` for more information.
__Q. I run a checker and the location list is not updated...__ __Q. I run a checker and the location list is not updated...__
@ -245,3 +243,4 @@ a look at [jedi-vim][7], [python-mode][8], or [YouCompleteMe][9].
[7]: https://github.com/davidhalter/jedi-vim [7]: https://github.com/davidhalter/jedi-vim
[8]: https://github.com/klen/python-mode [8]: https://github.com/klen/python-mode
[9]: https://github.com/Valloric/YouCompleteMe [9]: https://github.com/Valloric/YouCompleteMe
[10]: http://perldoc.perl.org/perlrun.html#*-c*

View File

@ -54,7 +54,7 @@ let s:defaultCheckers = {
\ 'objc': ['gcc'], \ 'objc': ['gcc'],
\ 'objcpp': ['gcc'], \ 'objcpp': ['gcc'],
\ 'ocaml': ['camlp4o'], \ 'ocaml': ['camlp4o'],
\ 'perl': ['perl', 'perlcritic'], \ 'perl': ['perlcritic'],
\ 'php': ['php', 'phpcs', 'phpmd'], \ 'php': ['php', 'phpcs', 'phpmd'],
\ 'po': ['msgfmt'], \ 'po': ['msgfmt'],
\ 'pod': ['podchecker'], \ 'pod': ['podchecker'],

View File

@ -11,6 +11,22 @@
" "
"============================================================================ "============================================================================
" "
" Security:
"
" This checker runs 'perl -c' against your file, which in turn executes
" any BEGIN, UNITCHECK, and CHECK blocks, and any use statements in
" your file. This is probably fine if you wrote the file yourself,
" but it can be a problem if you're trying to check third party files.
" If you are 100% willing to let Vim run the code in your file, set
" g:syntastic_enable_perl_checker to 1 in your vimrc to enable this
" checker:
"
" let g:syntastic_enable_perl_checker = 1
"
" References:
"
" - http://perldoc.perl.org/perlrun.html#*-c*
"
" Checker options: " Checker options:
" "
" - g:syntastic_perl_interpreter (string; default: 'perl') " - g:syntastic_perl_interpreter (string; default: 'perl')
@ -24,11 +40,7 @@
if exists('g:loaded_syntastic_perl_perl_checker') if exists('g:loaded_syntastic_perl_perl_checker')
finish finish
endif endif
let g:loaded_syntastic_perl_perl_checker=1 let g:loaded_syntastic_perl_perl_checker = 1
if !exists('g:syntastic_perl_interpreter')
let g:syntastic_perl_interpreter = 'perl'
endif
if !exists('g:syntastic_perl_lib_path') if !exists('g:syntastic_perl_lib_path')
let g:syntastic_perl_lib_path = [] let g:syntastic_perl_lib_path = []
@ -38,6 +50,10 @@ let s:save_cpo = &cpo
set cpo&vim set cpo&vim
function! SyntaxCheckers_perl_perl_IsAvailable() dict function! SyntaxCheckers_perl_perl_IsAvailable() dict
if !exists('g:syntastic_perl_interpreter')
let g:syntastic_perl_interpreter = self.getExec()
endif
" don't call executable() here, to allow things like " don't call executable() here, to allow things like
" let g:syntastic_perl_interpreter='/usr/bin/env perl' " let g:syntastic_perl_interpreter='/usr/bin/env perl'
silent! call system(syntastic#util#shexpand(g:syntastic_perl_interpreter) . ' -e ' . syntastic#util#shescape('exit(0)')) silent! call system(syntastic#util#shexpand(g:syntastic_perl_interpreter) . ' -e ' . syntastic#util#shescape('exit(0)'))
@ -45,6 +61,11 @@ function! SyntaxCheckers_perl_perl_IsAvailable() dict
endfunction endfunction
function! SyntaxCheckers_perl_perl_GetLocList() dict function! SyntaxCheckers_perl_perl_GetLocList() dict
if !exists('g:syntastic_enable_perl_checker') || !g:syntastic_enable_perl_checker
call syntastic#log#error('checker perl/perl: checks disabled for security reasons; set g:syntastic_enable_perl_checker to 1 to override')
return []
endif
let exe = expand(g:syntastic_perl_interpreter) let exe = expand(g:syntastic_perl_interpreter)
if type(g:syntastic_perl_lib_path) == type('') if type(g:syntastic_perl_lib_path) == type('')
call syntastic#log#deprecationWarn('variable g:syntastic_perl_lib_path should be a list') call syntastic#log#deprecationWarn('variable g:syntastic_perl_lib_path should be a list')