Blame SOURCES/0001-patch-8.1.1365-source-command-doesn-t-check-for-the-.patch

d7469a
diff -up vim80/src/getchar.c.cve vim80/src/getchar.c
d7469a
--- vim80/src/getchar.c.cve	2019-06-14 13:46:17.269523985 +0200
d7469a
+++ vim80/src/getchar.c	2019-06-14 13:46:58.427169288 +0200
d7469a
@@ -1418,6 +1418,12 @@ openscript(
d7469a
 	EMSG(_(e_nesting));
d7469a
 	return;
d7469a
     }
d7469a
+
d7469a
+    // Disallow sourcing a file in the sandbox, the commands would be executed
d7469a
+    // later, possibly outside of the sandbox.
d7469a
+    if (check_secure())
d7469a
+	return;
d7469a
+
d7469a
 #ifdef FEAT_EVAL
d7469a
     if (ignore_script)
d7469a
 	/* Not reading from script, also don't open one.  Warning message? */