Summary of the Issue:
A remote code execution (RCE) vulnerability was found when a user opens a crafted containing folder in the command line. Code execution is possible by injecting a & followed by system commands into the name of the folder.
Steps to reproduce:
Download the attached archive on Windows: unzip_me.zip (F404758)
Unzip it and navigate into it
Open the txt file inside with Notepad++
Go to File -> Open containing folder -> cmd
Impact statement:
Successful exploitation of this vulnerability would allow an attacker to remotely execute arbitrary commands on the victim's computer.
Inexistent path %APPDATA%\Notepad++\plugins\Config\ made some plugins crash.
In this PR the folder is checked (and created if it doesn't exist) by each launch of Notepad++.
Loading plugin list location is changed from %LOCALAPPDATA%\Notepad++\plugins\Config\ to
%PROGRAMDATA%\Notepad++\plugins\Config\
Enhance API NPPM_GETPLUGINSCONFIGDIR
Close#5037
User @buggalicious found the summary text is displaying a count of characters without line endings not blanks.
Patch should address #3849 by updating the text to describe what is actually being counted.
checked all files of the APIs dir for xml syntax issues and corrected the invalid files
Tested with plugin tools and checked also against https://www.xmlvalidation.com/
The current invalid xml syntax seems to have no bad influence on the functionality of the files.
Notepad++ loads plugins only from 2 locations:
1. %PROGRAMDATA%\Notepad++\plugins\ - while Notepad++ installed on: %PROGRAMFILES%\Notepad++\ or wherever without doLocalConf.xml
2. <NPP_INST_DIR>\plugins\ - while Notepad++ installed on wherever (except in %PROGRAMFILES%\Notepad++\) with doLocalConf.xml
- Fixed "Chinglish" Grammar (Original Chinese translator's defence: they are not "Chinglish", they are good Chinese translations which are not accepted by "normal people", who lakes the imagination and creactivity)
- Unified Translation for some terms
- `$STR_REPLACE` -> `$STR_REPLACE$`
- Added Several Translation
While plugins are in %PROGRAMDATA%, we need admin's rights to modify them. This PR detects the plugins installation in %PROGRAMDATA%, then launch wingup with UAC.
This PR contains three types of changes:
1. Actual bug fix. This bug appeared, because prior to closing files, "Close all but this" attempts to save modified files, and for that it needs to switch views. Those views were not restored after that, however - so further actions could end up being executed on a wrong view. Those are changed commented with // We may have to restore previous view after saving new files.
2. Another potential bug fix. Closing files in both views could result in views being switched (it may or may not, I did not manage to unambiguously find that out from the code). To prevent any possible issues, I stored view IDs in viewNo. If those could never switch, then the code changes nothing - but if they could, it fixes a potential bug.
3. Code clarity fix in Notepad_plus::switchEditViewTo. std::swap makes it more obvious this code is there only to swap values around!
Fixes#4911, Close#4920
Use the _isFolding flag to fix several overlooked edge case hangs.
This pull request fixes additional hangs I found after #4867 when working with deeply-nested fully-folded files. The hangs are easy to reproduce by following these steps:
Download the sample file https://raw.githubusercontent.com/notepad-plus-plus/notepad-plus-plus/master/PowerEditor/src/Parameters.cpp
Open the downloaded file by itself in NPP and fold it using Alt-0
Create a new empty tab and remain focused on it
Perform the six actions below, each of which will produce a hang as NPP tries to change focus back to the first tab. On my machine, each hang lasts about 30 seconds. After control returns, refocus the empty tab again and try the next action.
Use File>>Open to reopen the downloaded file, even though it is already open
Drag and drop the downloaded file onto NPP to reopen it
Double-click the downloaded file to reopen it
Right-click the downloaded file and select Edit with Notepad++ in the context menu
Open the downloaded file from the command line: C:\Program Files (x86)\Notepad++\notepad++.exe" .\Parameters.cpp
Click the red [X] in the upper right corner to close NPP
After applying the patch, none of the hangs should happen any more.
Close#4999
This PR fixes UTF-8 detection for 4 byte characters (a 2002 code used by npp assumed characters longer than 3 bytes are invalid -.-). This means such files will not be erroreously displayed as ANSI anymore.
Steps to reproduce:
Create a new UTF-8 file (w/out BOM)
Paste eg. this character 🍪 and save.
Reopen the file again.
Prior to this PR, file is detected as ANSI (even if Notepad++ is configured to default-assume UTF-8!!!). After this fix, file gets opened as UTF-8 correctly.
Fixes#4730, Fixes#3986, Fixes#3441, Fixes#3405, Closes#4922
The new message NPPM_GETPLUGINHOMEPATH allows plugins to get plugin home root path. It's useful if plugins want to get its own path by appending <pluginFolderName> which is the name of plugin without extension part.
Simply plugins loading emplacement:
NPPM_GETAPPDATAPLUGINSALLOWED to check to see if loading plugins from "%APPDATA%\..\Local\Notepad++\plugins" is allowed.
If doLocalConf no
else yes
1. Load plugins only from the new plugin folder structure. example: Notepad++\plugins\myAwesomePlugin\myAwesomePlugin.dll
2. Load plugins from only one directory. If doLocalConf.xml is present, then it will be <NPP_INSTALLATION_DIR>\plugins\
otherwise %USERPROFILE%\AppData\Local\Notepad++\plugins\
Old installation behaviour is loading installed plugins without restart Notepad++, which could make some plugins loading uncomplete.
New behaviour use the same implementation of plugin updating, witch quit notepad++ for plugin installation then restart Notepad++.