patch 9.2.0523: tests: no test for using shellescape() in combination with :!
Commit: https://github.com/vim/vim/commit/fccc2adc98c3d6664f1f2d8ddab17b096e647986 Author: Christian Brabandt <[email protected]> Date: Sat May 23 19:05:28 2026 +0000 patch 9.2.0523: tests: no test for using shellescape() in combination with :! Problem: tests: no test for using shellescape() in combination with :! Solution: Add a test that checks runtime files for using wrong combination of shellescape() with ! ex command This has lead to a few security relevant issues, so add a test that checks all runtime files for any ! followed by a shellescape() that does not use the {special} arg. related: Commit: 3fb5e58fbc63d86a3e65f1a141b0d67af2 (patch 9.2.0479: [security]: runtime(tar): command injection in tar plugin) closes: #20286 Supported by AI Signed-off-by: Christian Brabandt <[email protected]> diff --git a/src/testdir/test_codestyle.vim b/src/testdir/test_codestyle.vim index da08e71ff..1dcca61ea 100644 --- a/src/testdir/test_codestyle.vim +++ b/src/testdir/test_codestyle.vim @@ -195,4 +195,27 @@ def Test_indent_of_source_files() endfor enddef +def Test_runtime_wrong_shellescape() + # Check that shellescape() is called with the {special} argument (a second, + # non-zero argument) when its result is used in a ":!" ex command. + # This could cause code injection! + var pattern = '\<shellescape(\%([^,()]\|([^()]*)\)\+)' + + var q = "['" .. '"]' + var bang_exe = '\<\%(exe\%[cute]\|sil\%[ent]\)\>.*' .. q .. '[^"' .. "']*!" + + var skip = 'getline(".") !~ ' .. string(bang_exe) + .. ' || getline(".") =~ ' .. string('\<system\%(list\)\=(') + .. ' || getline(".") =~ ' .. string('^\s*"') + + for fpath in glob('../../runtime/**/*.vim', 0, 1) + g:ignoreSwapExists = 'e' + exe 'edit ' .. fpath + PerformCheck(fpath, pattern, + 'shellescape() without {special} flag used in ":!" command', skip) + endfor + + :%bwipe! +enddef + " vim: shiftwidth=2 sts=2 expandtab nofoldenable diff --git a/src/version.c b/src/version.c index 95434f97f..af37e33da 100644 --- a/src/version.c +++ b/src/version.c @@ -729,6 +729,8 @@ static char *(features[]) = static int included_patches[] = { /* Add new patch number below this line */ +/**/ + 523, /**/ 522, /**/ -- -- You received this message from the "vim_dev" maillist. Do not top-post! Type your reply below the text you are replying to. For more information, visit http://www.vim.org/maillist.php --- You received this message because you are subscribed to the Google Groups "vim_dev" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion visit https://groups.google.com/d/msgid/vim_dev/E1wQroP-002khU-64%40256bit.org.
