From 2506347586621114ccb6fedb7f93a560fc19c691 Mon Sep 17 00:00:00 2001
From: Shahaf Arad <shahaf2a@gmail.com>
Date: Fri, 13 Mar 2015 20:00:47 +0200
Subject: [PATCH] Prevent insecure plugin names.

Plugins' names which contain '../', '$HOME', '%:h:h', '..\', etc.
can be dangerous.
Use a sensible whitelist for plugin names and prevent its expansion.
---
 autoload/vundle/config.vim | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/autoload/vundle/config.vim b/autoload/vundle/config.vim
index 8467b9f7..0e02b112 100644
--- a/autoload/vundle/config.vim
+++ b/autoload/vundle/config.vim
@@ -97,6 +97,9 @@ funct! s:check_bundle_name(bundle)
           \ ' previously used the name "' . a:bundle.name . '"' .
           \ '. Skipping Plugin ' . a:bundle.name_spec . '.'
     return 0
+  elseif a:bundle.name !~ '\v^[A-Za-z0-9_-]%(\.?[A-Za-z0-9_-])*$'
+    echoerr 'Invalid plugin name: ' . a:bundle.name
+    return 0
   endif
   let s:bundle_names[a:bundle.name] = a:bundle.name_spec
   return 1
@@ -262,7 +265,7 @@ let s:bundle = {}
 " return -- the target location to clone this bundle to
 " ---------------------------------------------------------------------------
 func! s:bundle.path()
-  return s:expand_path(g:vundle#bundle_dir.'/'.self.name)
+  return s:expand_path(g:vundle#bundle_dir.'/') . self.name
 endf