fix(vim.secure): read() command injection vulnerability #39918

Problem: Malicious filename can execute code because of ":" cmdline expansion. Solution: Use `fnameescape()`. fix https://github.com/neovim/neovim/issues/39914 (cherry picked from commit 799cbfff85)
2026-06-18 17:51:18 +00:00 · 2026-05-20 15:27:43 -04:00
parent 17ddfde131
commit f83e0dcaf8
2 changed files with 29 additions and 1 deletions
--- a/runtime/lua/vim/secure.lua
+++ b/runtime/lua/vim/secure.lua
@@ -150,7 +150,7 @@ function M.read(path)
    return nil
  elseif result == 2 then
    -- View
-    vim.cmd('sview ' .. fullpath)
+    vim.cmd(('sview %s'):format(vim.fn.fnameescape(fullpath)))
    return nil
  elseif result == 3 then
    -- Deny