Disable shell() inside an eval("...") for safety.

Based on email from Tim Chase.
2026-04-17 14:59:20 +02:00 · 2025-05-23 11:48:06 -04:00
parent af8c1630c3
commit 4c2b6031cd
5 changed files with 50 additions and 1 deletions
--- a/tests/test.rem
+++ b/tests/test.rem
@@ -1572,6 +1572,18 @@ set a eval("1 / / 2")
 set a catch(eval("1 +"), 33)
 set a catch(eval("1/0"), 34)
 set a catch(eval("1 / / 2"), 35)
+
+# Ensure RUN is disabled in eval
+set a shell("echo foo")
+set a eval("shell(\"echo foo\")")
+set a shell("echo foo")
+
+FSET i() shell("echo foo")
+set a i()
+set a eval("i()")
+set a i()
+FUNSET i
+
 DEBUG -x

 DEBUG -e