From 10432d0df814ffeeee11ef2db118385add36a830 Mon Sep 17 00:00:00 2001
From: zeertzjq <zeertzjq@outlook.com>
Date: Fri, 15 May 2026 09:06:11 +0800
Subject: [PATCH] vim-patch:9.2.0481: runtime(netrw): command injection
 possible via maps

Problem:  runtime(netrw): command injection possible via crafted
          directory names in NetrwMaps() (Christopher Lusk)
Solution: Temporarily remove B flag in NetrwMaps() to prevent command
          injection

https://github.com/vim/vim/commit/8e41c34aba0e775d2e3bf6f0e2da1b1c5317f3df

Co-authored-by: Christian Brabandt <cb@256bit.org>
---
 .../pack/dist/opt/netrw/autoload/netrw.vim    |  7 +++++++
 test/old/testdir/test_plugin_netrw.vim        | 20 +++++++++++++++++++
 2 files changed, 27 insertions(+)

diff --git a/runtime/pack/dist/opt/netrw/autoload/netrw.vim b/runtime/pack/dist/opt/netrw/autoload/netrw.vim
index b6f8da937b..61c7ecf754 100644
--- a/runtime/pack/dist/opt/netrw/autoload/netrw.vim
+++ b/runtime/pack/dist/opt/netrw/autoload/netrw.vim
@@ -4814,6 +4814,12 @@ endfunction
 
 " s:NetrwMaps: {{{2
 function s:NetrwMaps(islocal)
+    " remove B flag from 'cpo' so that \<CR>, \<Bar>, etc. inside
+    " interpolated path names play back as literal text rather than
+    " the actual key — without this, a crafted directory name can
+    " inject keystrokes into the cmdline the mapping is typing
+    let _cpo = &cpo
+    set cpo-=B
 
     " mouse <Plug> maps: {{{3
     if g:netrw_mousemaps && g:netrw_retmap
@@ -5058,6 +5064,7 @@ function s:NetrwMaps(islocal)
         " support user-specified maps
         call netrw#UserMaps(0)
     endif " }}}3
+    let &cpo = _cpo
 endfunction
 
 " s:NetrwCommands: set up commands                              {{{2
diff --git a/test/old/testdir/test_plugin_netrw.vim b/test/old/testdir/test_plugin_netrw.vim
index cdc68403e5..ca8746a590 100644
--- a/test/old/testdir/test_plugin_netrw.vim
+++ b/test/old/testdir/test_plugin_netrw.vim
@@ -738,6 +738,7 @@ func Test_netrw_mf_command_injection()
   let path = tempname()
   let fname = 'x" . execute("silent! !touch poc") . "'
   call mkdir(path, 'R')
+  let _cwd = getcwd()
   exe "cd " path
   call writefile([], fname)
   Explore .
@@ -745,6 +746,25 @@ func Test_netrw_mf_command_injection()
   :norm mf
   :norm mf
   call assert_false(filereadable('poc'), 'Command injection via mf command')
+  exe "cd " _cwd
+  bw!
 endfunc
 
+function Test_netrw_NetrwMaps_CR_dirname()
+  CheckNotMSWindows
+
+  let tmpdir = tempname() . '/evil<CR>:let g:netrw_pwn=1<CR>'
+  call mkdir(tmpdir, 'pR')
+  call assert_true(isdirectory(tmpdir))
+  exe ":Explore " tmpdir
+  " Fire D
+  " If the commands are injected successfully,
+  " this fails with
+  "  Vim(let):E488: Trailing characters: \ @ command line script
+  call feedkeys("D\<C-c>\<C-c>", "xt")
+  call assert_false(exists("g:netrw_pwn"))
+
+  unlet! g:netrw_pwn
+  bw!
+endfunction
 " vim:ts=8 sts=2 sw=2 et