mirror of
https://github.com/neovim/neovim.git
synced 2026-04-06 07:38:31 +00:00
vim-patch:9.2.0202: [security]: command injection via newline in glob() (#38385)
Problem: The glob() function on Unix-like systems does not escape
newline characters when expanding wildcards. A maliciously
crafted string containing '\n' can be used as a command
separator to execute arbitrary shell commands via
mch_expand_wildcards(). This depends on the user's 'shell'
setting.
Solution: Add the newline character ('\n') to the SHELL_SPECIAL
definition to ensure it is properly escaped before being
passed to the shell (pyllyukko).
closes: vim/vim#19746
Github Advisory:
https://github.com/vim/vim/security/advisories/GHSA-w5jw-f54h-x46c
645ed6597d
Co-authored-by: pyllyukko <pyllyukko@maimed.org>
(cherry picked from commit f577e05522)
This commit is contained in:
zeertzjq
committed by
github-actions[bot]
github-actions[bot]
parent
cf6660d3c1
commit
bea7f3a44e
@@ -50,7 +50,7 @@
|
||||
#define NS_1_SECOND 1000000000U // 1 second, in nanoseconds
|
||||
#define OUT_DATA_THRESHOLD 1024 * 10U // 10KB, "a few screenfuls" of data.
|
||||
|
||||
#define SHELL_SPECIAL "\t \"&'$;<>()\\|"
|
||||
#define SHELL_SPECIAL "\t \"&'$;<>()\\|\n"
|
||||
|
||||
#ifdef INCLUDE_GENERATED_DECLARATIONS
|
||||
# include "os/shell.c.generated.h"
|
||||
|
||||
Reference in New Issue
Block a user