vim-patch:9.2.0481: runtime(netrw): command injection possible via maps

Problem: runtime(netrw): command injection possible via crafted directory names in NetrwMaps() (Christopher Lusk) Solution: Temporarily remove B flag in NetrwMaps() to prevent command injection 8e41c34aba Co-authored-by: Christian Brabandt <cb@256bit.org>
2026-05-24 13:50:06 +00:00 · 2026-05-15 09:06:11 +08:00
parent 86c5703111
commit 10432d0df8
2 changed files with 27 additions and 0 deletions
--- a/runtime/pack/dist/opt/netrw/autoload/netrw.vim
+++ b/runtime/pack/dist/opt/netrw/autoload/netrw.vim
@@ -4814,6 +4814,12 @@ endfunction

 " s:NetrwMaps: {{{2
 function s:NetrwMaps(islocal)
+    " remove B flag from 'cpo' so that \<CR>, \<Bar>, etc. inside
+    " interpolated path names play back as literal text rather than
+    " the actual key — without this, a crafted directory name can
+    " inject keystrokes into the cmdline the mapping is typing
+    let _cpo = &cpo
+    set cpo-=B

    " mouse <Plug> maps: {{{3
    if g:netrw_mousemaps && g:netrw_retmap
@@ -5058,6 +5064,7 @@ function s:NetrwMaps(islocal)
        " support user-specified maps
        call netrw#UserMaps(0)
    endif " }}}3
+    let &cpo = _cpo
 endfunction

 " s:NetrwCommands: set up commands                              {{{2
--- a/test/old/testdir/test_plugin_netrw.vim
+++ b/test/old/testdir/test_plugin_netrw.vim
@@ -738,6 +738,7 @@ func Test_netrw_mf_command_injection()
  let path = tempname()
  let fname = 'x" . execute("silent! !touch poc") . "'
  call mkdir(path, 'R')
+  let _cwd = getcwd()
  exe "cd " path
  call writefile([], fname)
  Explore .
@@ -745,6 +746,25 @@ func Test_netrw_mf_command_injection()
  :norm mf
  :norm mf
  call assert_false(filereadable('poc'), 'Command injection via mf command')
+  exe "cd " _cwd
+  bw!
 endfunc

+function Test_netrw_NetrwMaps_CR_dirname()
+  CheckNotMSWindows
+
+  let tmpdir = tempname() . '/evil<CR>:let g:netrw_pwn=1<CR>'
+  call mkdir(tmpdir, 'pR')
+  call assert_true(isdirectory(tmpdir))
+  exe ":Explore " tmpdir
+  " Fire D
+  " If the commands are injected successfully,
+  " this fails with
+  "  Vim(let):E488: Trailing characters: \ @ command line script
+  call feedkeys("D\<C-c>\<C-c>", "xt")
+  call assert_false(exists("g:netrw_pwn"))
+
+  unlet! g:netrw_pwn
+  bw!
+endfunction
 " vim:ts=8 sts=2 sw=2 et