Security: disable the perl checker by default.

This commit is contained in:
LCD 47 2014-03-03 09:43:14 +02:00
parent e677e0655e
commit c18065ea52
3 changed files with 39 additions and 19 deletions

View File

@ -123,20 +123,18 @@ error output for a syntax checker may have changed. In this case, make sure you
have the latest version of the syntax checker installed. If it still fails then
create an issue - or better yet, create a pull request.
__Q. Recently some of my syntax checker options have stopped working...__
__Q. The `perl` checker has stopped working...__
A. The options are still there, they have just been renamed. Recently,
almost all syntax checkers were refactored to use the new `makeprgBuild()`
function. This made a lot of the old explicit options redundant - as they are
now implied. The new implied options usually have slightly different names to
the old options.
e.g. Previously there was `g:syntastic_phpcs_conf`, now you must use
`g:syntastic_php_phpcs_args`. This completely overrides the arguments of
the checker, including any defaults, so you may need to look up the default
arguments of the checker and add these in.
See `:help syntastic-checker-options` for more information.
A. The `perl` checker runs `perl -c` against your file, which in turn
__executes__ any `BEGIN`, `UNITCHECK`, and `CHECK` blocks, and any `use`
statements in your file (cf. [perlrun][10]). This is probably fine if you
wrote the file yourself, but it's a security hazard if you're checking third
party files. Since there is currently no way to disable this behaviour while
still producing useful results, the checker is now disabled by default. To
(re-)enable it, set `g:syntastic_enable_perl_checker` to 1 in your vimrc:
```vim
let g:syntastic_enable_perl_checker = 1
```
__Q. I run a checker and the location list is not updated...__
@ -245,3 +243,4 @@ a look at [jedi-vim][7], [python-mode][8], or [YouCompleteMe][9].
[7]: https://github.com/davidhalter/jedi-vim
[8]: https://github.com/klen/python-mode
[9]: https://github.com/Valloric/YouCompleteMe
[10]: http://perldoc.perl.org/perlrun.html#*-c*

View File

@ -54,7 +54,7 @@ let s:defaultCheckers = {
\ 'objc': ['gcc'],
\ 'objcpp': ['gcc'],
\ 'ocaml': ['camlp4o'],
\ 'perl': ['perl', 'perlcritic'],
\ 'perl': ['perlcritic'],
\ 'php': ['php', 'phpcs', 'phpmd'],
\ 'po': ['msgfmt'],
\ 'pod': ['podchecker'],

View File

@ -11,6 +11,22 @@
"
"============================================================================
"
" Security:
"
" This checker runs 'perl -c' against your file, which in turn executes
" any BEGIN, UNITCHECK, and CHECK blocks, and any use statements in
" your file. This is probably fine if you wrote the file yourself,
" but it can be a problem if you're trying to check third party files.
" If you are 100% willing to let Vim run the code in your file, set
" g:syntastic_enable_perl_checker to 1 in your vimrc to enable this
" checker:
"
" let g:syntastic_enable_perl_checker = 1
"
" References:
"
" - http://perldoc.perl.org/perlrun.html#*-c*
"
" Checker options:
"
" - g:syntastic_perl_interpreter (string; default: 'perl')
@ -26,10 +42,6 @@ if exists('g:loaded_syntastic_perl_perl_checker')
endif
let g:loaded_syntastic_perl_perl_checker = 1
if !exists('g:syntastic_perl_interpreter')
let g:syntastic_perl_interpreter = 'perl'
endif
if !exists('g:syntastic_perl_lib_path')
let g:syntastic_perl_lib_path = []
endif
@ -38,6 +50,10 @@ let s:save_cpo = &cpo
set cpo&vim
function! SyntaxCheckers_perl_perl_IsAvailable() dict
if !exists('g:syntastic_perl_interpreter')
let g:syntastic_perl_interpreter = self.getExec()
endif
" don't call executable() here, to allow things like
" let g:syntastic_perl_interpreter='/usr/bin/env perl'
silent! call system(syntastic#util#shexpand(g:syntastic_perl_interpreter) . ' -e ' . syntastic#util#shescape('exit(0)'))
@ -45,6 +61,11 @@ function! SyntaxCheckers_perl_perl_IsAvailable() dict
endfunction
function! SyntaxCheckers_perl_perl_GetLocList() dict
if !exists('g:syntastic_enable_perl_checker') || !g:syntastic_enable_perl_checker
call syntastic#log#error('checker perl/perl: checks disabled for security reasons; set g:syntastic_enable_perl_checker to 1 to override')
return []
endif
let exe = expand(g:syntastic_perl_interpreter)
if type(g:syntastic_perl_lib_path) == type('')
call syntastic#log#deprecationWarn('variable g:syntastic_perl_lib_path should be a list')