fix(vim.secure): read() command injection vulnerability #39918

Problem: Malicious filename can execute code because of ":" cmdline expansion. Solution: Use `fnameescape()`. fix https://github.com/neovim/neovim/issues/39914
2026-05-24 05:40:08 +00:00 · 2026-05-20 15:27:43 -04:00
parent 24e00f2844
commit 799cbfff85
2 changed files with 29 additions and 1 deletions
--- a/runtime/lua/vim/secure.lua
+++ b/runtime/lua/vim/secure.lua
@@ -151,7 +151,7 @@ function M.read(path)
    return nil
  elseif result == 2 then
    -- View
-    vim.cmd('sview ' .. fullpath)
+    vim.cmd(('sview %s'):format(vim.fn.fnameescape(fullpath)))
    return nil
  elseif result == 3 then
    -- Deny