vim-patch:9.2.0663: [security]: runtime(netrw): code injection in local file deletion

Problem:  [security]: s:NetrwLocalRmFile() escapes only the backslash in
          the file name before passing it to :execute, so a name
          containing "|" injects arbitrary Ex commands when the file is
          deleted (cipher-creator)
Solution: Use fnameescape() to correctly escape the file name
          (Yasuhiro Matsumoto).

Github Security Advisory:
https://github.com/vim/vim/security/advisories/GHSA-vhh8-v6wx-hjjh

Supported by AI

55bc757a5d

Co-authored-by: Yasuhiro Matsumoto <mattn.jp@gmail.com>
This commit is contained in:
zeertzjq
2026-06-17 15:08:37 +08:00
parent 52d7bbd1a0
commit c4ce10930c
2 changed files with 23 additions and 3 deletions

View File

@@ -1,7 +1,7 @@
" Creator: Charles E Campbell
" Previous Maintainer: Luca Saccarola <github.e41mv@aleeas.com>
" Maintainer: This runtime file is looking for a new maintainer.
" Last Change: 2026 Jun 10
" Last Change: 2026 Jun 16
" Copyright: Copyright (C) 2016 Charles E. Campbell {{{1
" Permission is hereby granted to use and distribute this code,
" with or without modifications, provided that this copyright
@@ -3083,7 +3083,7 @@ function s:NetrwBrowse(islocal,dirname)
elseif !a:islocal && dirname !~ '[\/]$' && dirname !~ '^"'
" s:NetrwBrowse : remote regular file handler {{{3
if bufname(dirname) != ""
exe "NetrwKeepj b ".bufname(dirname)
exe "NetrwKeepj b ".fnameescape(bufname(dirname))
else
" attempt transfer of remote regular file
@@ -8804,7 +8804,7 @@ function s:NetrwLocalRmFile(path, fname, all)
call netrw#msg#Notify('ERROR', printf("unable to delete <%s>!", rmfile))
else
" Remove file only if there are no pending changes
execute printf('silent! bwipeout %s', rmfile)
execute printf('silent! bwipeout %s', fnameescape(rmfile))
endif
elseif dir && (all || empty(ok))

View File

@@ -856,4 +856,24 @@ func Test_netrw_injection()
endtry
endfunc
" Deleting a file whose name contains an Ex command separator must not let the
" name inject commands into the :execute in s:NetrwLocalRmFile().
func Test_netrw_local_rm_injection()
CheckUnix
let dir = getcwd() . '/Xnetrwrm'
let fname = "x|let g:injected = 1"
call mkdir(dir, 'pR')
call writefile([], dir . '/' . fname)
try
call netrw#Call('NetrwLocalRmFile', dir, fname, 1)
call assert_false(exists('g:injected'), 'filename must not inject Ex commands')
" The file is removed before the sink, so its absence also confirms the
" vulnerable code path was actually exercised (not skipped on an error).
call assert_false(filereadable(dir . '/' . fname), 'crafted file must be deleted')
finally
call delete(dir . '/' . fname)
unlet! g:injected
endtry
endfunc
" vim:ts=8 sts=2 sw=2 et