Restrict the usage of customized search engine on only "http://" or "https://" url schema to avoid whatever application can be launched via "Search on Internet" command.
New correct behaviour: Dragging out a "new #" document from instance 1 and dropping it into instance 2 makes disappear "new #" document from instance 1, and nothing happens in instance 2.
Several UDL xml files can be loaded to allow to manage/share UDL more easily.
1. The old file userDefineLang.xml is kept in its old location and is still used.
2. The new folder userDefineLangs is added beside of the old UDL default file. Any UDL xml file can go into the folder userDefineLangs and will be loaded as UDL.
3. A UDL xml file must contain one (or several) user defined language(s).
4. The created UDL via UDL dialog and imported UDL are saved in userDefineLang.xml (default UDL file).
https://notepad-plus-plus.org/community/topic/17072/new-enhancement-for-user-defined-language-system
Unexpect behaviour: if "<NppDir>\...dll" and/or "<NppDir>\plugins\..dll" exist, they will be loaded because Notepad++ try to load "<NppDir>\pluginName\pluginName.dll" as plugin, in our case "<NppDir>\plugins\..\...dll" and "<NppDir>\plugins\.\..dll" respectively.
The fix is excluding both directories ".." & "." to not load mentionned above unwanted dll.
Notepad++ launches updater (gup.exe) without checking the signature, that makes exe hacking possible.
The fix is to check updater binary's signature before launching it.
When the amount of clipboard data is too important, it makes crash of function WideCharToMultiByte (win32 API).
The remedy is to capture this error to prevent Notepad++ from crash.
Summary of the Issue:
A remote code execution (RCE) vulnerability was found when a user opens a crafted containing folder in the command line. Code execution is possible by injecting a & followed by system commands into the name of the folder.
Steps to reproduce:
Download the attached archive on Windows: unzip_me.zip (F404758)
Unzip it and navigate into it
Open the txt file inside with Notepad++
Go to File -> Open containing folder -> cmd
Impact statement:
Successful exploitation of this vulnerability would allow an attacker to remotely execute arbitrary commands on the victim's computer.