Restrict the usage of customized search engine on only "http://" or "https://" url schema to avoid whatever application can be launched via "Search on Internet" command.
Summary of the Issue:
A remote code execution (RCE) vulnerability was found when a user opens a crafted containing folder in the command line. Code execution is possible by injecting a & followed by system commands into the name of the folder.
Steps to reproduce:
Download the attached archive on Windows: unzip_me.zip (F404758)
Unzip it and navigate into it
Open the txt file inside with Notepad++
Go to File -> Open containing folder -> cmd
Impact statement:
Successful exploitation of this vulnerability would allow an attacker to remotely execute arbitrary commands on the victim's computer.
Close#5037
User @buggalicious found the summary text is displaying a count of characters without line endings not blanks.
Patch should address #3849 by updating the text to describe what is actually being counted.
Use the _isFolding flag to avoid expensive redundant operations that cause an apparent hang when opening or switching tabs to a large fully-folded file.
The released version of Notepad++ uses the _isFolding flag to avoid expensive redundant operations when switching to a fully-folded tab using the mouse pointer.
However, opening a fully-folded file or switching to a fully-folded tab with the keyboard can produce a delay so long that Notepad++ appears to hang forever.
The hang is 100% reproducible and can be demonstrated in less than 60 seconds:
Download a deeply-nested file such as https://raw.githubusercontent.com/notepad-plus-plus/notepad-plus-plus/master/PowerEditor/src/Parameters.cpp or https://github.com/notepad-plus-plus/notepad-plus-plus/files/1555939/nppTest.zip
Open the file in Notepad++ and fold it using Alt-0
Create a new empty tab
Switch back and forth between tabs using the mouse, which is fast
Switch back and forth between tabs using the keyboard (Ctrl-Tab, Ctrl-Page(Up|Down), Ctrl-NumPad[0-9]), which will hang
This pull request applies the existing _isFolding flag to the forgotten keyboard and file open operations and prevents the hang caused by opening or switching tabs to a fully-folded file.
Fix#3996, fix#1128, fix#1806, fix#4871Close#4867
Steps to Reproduce the Issue:
1. Open two files a.txt (first tab) and b.txt (second tab)
2. Start tail monitoring for a.txt (first tab) and activate b.txt (second tab)
3. Now delete a.txt from the explorer
4. Come back to notepad++
5. Observe the behavior now
Unexpected Behavior:
At step 4, if user choose to keep the file, a.txt is still marked as monitoring. As soon as del action occurs, b.txt automatically comes under "tail monitoring".
If user choose to remove file, a.txt should be removed from the notepad. This is absolutely fine.
Fix#4750, close#4751
This changes the line operations "Sort as Integers Ascending" and "Sort as Integers Descending" to sort by Natural Sort Order, in which consecutive numerals are considered as one character. This causes "2" < "10", just like in the old Integer sort, but also "foo 2" < "foo 10", which was not previously available functionality. In cases where every line is a single integer, Natural Sort functions exactly the same as Integer Sort; when every line begins with a single integer, it is a valid Integer Sort.
Close#4413, fix#2025
Updated file "NppIO.cpp" to deal with issue #3553
However both existing and updated code looks same, but it is not.
command(IDM_VIEW_MONITORING);
looks equal to
buf->stopMonitoring();
checkMenuItem(IDM_VIEW_MONITORING, false);
_toolBar.setCheck(IDM_VIEW_MONITORING, false);
buf->setUserReadOnly(false);
Updated code works on the current file being processed while existing code command(IDM_VIEW_MONITORING); works with current active buffer. Debugging for reported case can help to understand the above statement.
Justification for updating file "NppCommands.cpp":
See static HANDLE hThread gets a handle when monitoring is activated on a tab.
This handle is overwritten if monitoring is activated on another tab. Resource leak happens here as previous handle can't be closed at all.
However, this handle is not used anywhere in the code, then just why not to close the handle as soon thread is created.
Closes#3554, fixes#3553
