patch 9.2.0663: [security]: runtime(netrw): code injection in local file deletion
Commit: https://github.com/vim/vim/commit/55bc757a5d436e59d50fe43f7cda94b118f86cb2 Author: Yasuhiro Matsumoto <[email protected]> Date: Tue Jun 16 21:00:28 2026 +0000 patch 9.2.0663: [security]: runtime(netrw): code injection in local file deletion Problem: [security]: s:NetrwLocalRmFile() escapes only the backslash in the file name before passing it to :execute, so a name containing "|" injects arbitrary Ex commands when the file is deleted (cipher-creator) Solution: Use fnameescape() to correctly escape the file name (Yasuhiro Matsumoto). Github Security Advisory: https://github.com/vim/vim/security/advisories/GHSA-vhh8-v6wx-hjjh Supported by AI Signed-off-by: Yasuhiro Matsumoto <[email protected]> Signed-off-by: Christian Brabandt <[email protected]> diff --git a/runtime/pack/dist/opt/netrw/autoload/netrw.vim b/runtime/pack/dist/opt/netrw/autoload/netrw.vim index fe8d3f11f..8006837cf 100644 --- a/runtime/pack/dist/opt/netrw/autoload/netrw.vim +++ b/runtime/pack/dist/opt/netrw/autoload/netrw.vim @@ -1,7 +1,7 @@ " Creator: Charles E Campbell " Previous Maintainer: Luca Saccarola <[email protected]> " Maintainer: This runtime file is looking for a new maintainer. -" Last Change: 2026 Jun 10 +" Last Change: 2026 Jun 16 " Copyright: Copyright (C) 2016 Charles E. Campbell {{{1 " Permission is hereby granted to use and distribute this code, " with or without modifications, provided that this copyright @@ -3083,7 +3083,7 @@ function s:NetrwBrowse(islocal,dirname) elseif !a:islocal && dirname !~ '[\/]$' && dirname !~ '^"' " s:NetrwBrowse : remote regular file handler {{{3 if bufname(dirname) != "" - exe "NetrwKeepj b ".bufname(dirname) + exe "NetrwKeepj b ".fnameescape(bufname(dirname)) else " attempt transfer of remote regular file @@ -8800,7 +8800,7 @@ function s:NetrwLocalRmFile(path, fname, all) call netrw#msg#Notify('ERROR', printf("unable to delete <%s>!", rmfile)) else " Remove file only if there are no pending changes - execute printf('silent! bwipeout %s', rmfile) + execute printf('silent! bwipeout %s', fnameescape(rmfile)) endif elseif dir && (all || empty(ok)) diff --git a/src/testdir/test_plugin_netrw.vim b/src/testdir/test_plugin_netrw.vim index 0cb0c38da..eee5f0984 100644 --- a/src/testdir/test_plugin_netrw.vim +++ b/src/testdir/test_plugin_netrw.vim @@ -849,4 +849,24 @@ func Test_netrw_injection() endtry endfunc +" Deleting a file whose name contains an Ex command separator must not let the +" name inject commands into the :execute in s:NetrwLocalRmFile(). +func Test_netrw_local_rm_injection() + CheckUnix + let dir = getcwd() . '/Xnetrwrm' + let fname = "x|let g:injected = 1" + call mkdir(dir, 'pR') + call writefile([], dir . '/' . fname) + try + call netrw#Call('NetrwLocalRmFile', dir, fname, 1) + call assert_false(exists('g:injected'), 'filename must not inject Ex commands') + " The file is removed before the sink, so its absence also confirms the + " vulnerable code path was actually exercised (not skipped on an error). + call assert_false(filereadable(dir . '/' . fname), 'crafted file must be deleted') + finally + call delete(dir . '/' . fname) + unlet! g:injected + endtry +endfunc + " vim:ts=8 sts=2 sw=2 et diff --git a/src/version.c b/src/version.c index 770b0841c..17324c9ae 100644 --- a/src/version.c +++ b/src/version.c @@ -759,6 +759,8 @@ static char *(features[]) = static int included_patches[] = { /* Add new patch number below this line */ +/**/ + 663, /**/ 662, /**/ -- -- You received this message from the "vim_dev" maillist. Do not top-post! Type your reply below the text you are replying to. For more information, visit http://www.vim.org/maillist.php --- You received this message because you are subscribed to the Google Groups "vim_dev" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion visit https://groups.google.com/d/msgid/vim_dev/E1wZbMD-0017oJ-E4%40256bit.org.
