patch 9.2.0272: [security]: 'tabpanel' can be set in a modeline

chrisbra · chrisbra · commit 664701eb7576 · 2026-03-30T08:50:10.000Z
Problem: 'tabpanel' can be set in a modeline Solution: Set the P_MLE flag for the 'tabpanel' option, disable autocmd_add()/autocomd_delete() functions in restricted/secure mode. Github Advisory: GHSA-2gmj-rpqf-pxvh Signed-off-by: Christian Brabandt <cb@256bit.org>
diff --git a/src/autocmd.c b/src/autocmd.c
@@ -3061,6 +3061,9 @@ autocmd_add_or_delete(typval_T *argvars, typval_T *rettv, int delete)
     rettv->v_type = VAR_BOOL;
     rettv->vval.v_number = VVAL_FALSE;
 
+    if (check_restricted() || check_secure())
+	return;
+
     if (check_for_list_arg(argvars, 0) == FAIL)
 	return;
 
diff --git a/src/optiondefs.h b/src/optiondefs.h
@@ -2578,7 +2578,7 @@ static struct vimoption options[] =
 			    (char_u *)&p_tpm, PV_NONE, NULL, NULL,
 			    {(char_u *)10L, (char_u *)0L} SCTX_INIT},
 #if defined(FEAT_TABPANEL)
-    {"tabpanel",  "tpl",    P_STRING|P_VI_DEF|P_RALL,
+    {"tabpanel",  "tpl",    P_STRING|P_VI_DEF|P_RALL|P_MLE,
 			    (char_u *)&p_tpl, PV_NONE, NULL, NULL,
 			    {(char_u *)"", (char_u *)0L} SCTX_INIT},
     {"tabpanelopt","tplo",  P_STRING|P_ALLOCED|P_VI_DEF|P_ONECOMMA|P_COLON
diff --git a/src/testdir/test_autocmd.vim b/src/testdir/test_autocmd.vim
@@ -5962,4 +5962,9 @@ func Test_SwapExists_b_nwindows()
   %bw!
 endfunc
 
+func Test_autocmd_add_secure()
+  call assert_fails('sandbox call autocmd_add([{"event": "BufRead", "cmd": "let x = 1"}])', 'E48:')
+  call assert_fails('sandbox call autocmd_delete([{"event": "BufRead"}])', 'E48:')
+endfunc
+
 " vim: shiftwidth=2 sts=2 expandtab
diff --git a/src/testdir/test_tabpanel.vim b/src/testdir/test_tabpanel.vim
@@ -872,4 +872,19 @@ function Test_tabpanel_showtabpanel_via_cmd_arg()
   set showtabpanel& noruler&
 endfunc
 
+func Test_tabpanel_no_modeline()
+  let _tpl = &tabpanel
+  let _mls = &modelineexpr
+
+  set nomodelineexpr
+  setlocal modeline
+  new
+  call writefile(['/* vim: set tabpanel=test: */'], 'Xtabpanel.txt', 'D')
+  call assert_fails(':e Xtabpanel.txt', 'E992:')
+
+  let &tabpanel = _tpl
+  let &modelineexpr = _mls
+  bw!
+endfunc
+
 " vim: shiftwidth=2 sts=2 expandtab
diff --git a/src/version.c b/src/version.c
@@ -734,6 +734,8 @@ static char *(features[]) =
 
 static int included_patches[] =
 {   /* Add new patch number below this line */
+/**/
+    272,
 /**/
     271,
 /**/
