From bea7f3a44e6b9e102f9452af8cc6864b47d944dd Mon Sep 17 00:00:00 2001 From: zeertzjq Date: Fri, 20 Mar 2026 08:19:52 +0800 Subject: [PATCH] vim-patch:9.2.0202: [security]: command injection via newline in glob() (#38385) Problem: The glob() function on Unix-like systems does not escape newline characters when expanding wildcards. A maliciously crafted string containing '\n' can be used as a command separator to execute arbitrary shell commands via mch_expand_wildcards(). This depends on the user's 'shell' setting. Solution: Add the newline character ('\n') to the SHELL_SPECIAL definition to ensure it is properly escaped before being passed to the shell (pyllyukko). closes: vim/vim#19746 Github Advisory: https://github.com/vim/vim/security/advisories/GHSA-w5jw-f54h-x46c https://github.com/vim/vim/commit/645ed6597d1ea896c712cd7ddbb6edee79577e9a Co-authored-by: pyllyukko (cherry picked from commit f577e055221e4cde198401731e9568a9c4b3de50) --- src/nvim/os/shell.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/nvim/os/shell.c b/src/nvim/os/shell.c index 7dff8a1b07..747ca0e0ce 100644 --- a/src/nvim/os/shell.c +++ b/src/nvim/os/shell.c @@ -50,7 +50,7 @@ #define NS_1_SECOND 1000000000U // 1 second, in nanoseconds #define OUT_DATA_THRESHOLD 1024 * 10U // 10KB, "a few screenfuls" of data. -#define SHELL_SPECIAL "\t \"&'$;<>()\\|" +#define SHELL_SPECIAL "\t \"&'$;<>()\\|\n" #ifdef INCLUDE_GENERATED_DECLARATIONS # include "os/shell.c.generated.h"