From c78194e41d5a0b05b0ddf383b6679b1503f977fb Mon Sep 17 00:00:00 2001 From: Christian Brabandt Date: Wed, 15 Apr 2026 20:17:17 +0000 Subject: [PATCH] patch 9.2.0357: [security]: command injection via backticks in tag files Problem: [security]: command injection via backticks in tag files (Srinivas Piskala Ganesh Babu, Andy Ngo) Solution: Disallow backticks before attempting to expand filenames. Github Advisory: https://github.com/vim/vim/security/advisories/GHSA-cwgx-gcj7-6qh8 Supported by AI Signed-off-by: Christian Brabandt --- src/tag.c | 4 +++- src/testdir/test_tagjump.vim | 24 ++++++++++++++++++++++++ src/version.c | 2 ++ 3 files changed, 29 insertions(+), 1 deletion(-) diff --git a/src/tag.c b/src/tag.c index d3e27e602..0f12e384b 100644 --- a/src/tag.c +++ b/src/tag.c @@ -4137,8 +4137,10 @@ expand_tag_fname(char_u *fname, char_u *tag_fname, int expand) /* * Expand file name (for environment variables) when needed. + * Disallow backticks, they could execute arbitrary shell + * commands. This is not needed for tag filenames. */ - if (expand && mch_has_wildcard(fname)) + if (expand && mch_has_wildcard(fname) && vim_strchr(fname, '`') == NULL) { ExpandInit(&xpc); xpc.xp_context = EXPAND_FILES; diff --git a/src/testdir/test_tagjump.vim b/src/testdir/test_tagjump.vim index bbab3c70e..c0fa7b02e 100644 --- a/src/testdir/test_tagjump.vim +++ b/src/testdir/test_tagjump.vim @@ -258,4 +258,28 @@ bwipe! endfunc +" Test that backtick expressions in tag filenames are not expanded. +" This prevents command injection via malicious tags files. +func Test_tag_backtick_filename_not_expanded() + let pwned_file = 'Xtags_pwnd' + call assert_false(filereadable(pwned_file)) + + let tagline = "main\t`touch " . pwned_file . "`\t/^int main/;\"\tf" + call writefile([tagline], 'Xbt_tags') + call writefile(['int main(int argc, char **argv) {', '}'], 'Xbt_main.c') + + set tags=Xbt_tags + sp Xbt_main.c + + " The :tag command should fail to find the file, but must NOT execute + " the backtick shell command. + call assert_fails('tag main', 'E429:') + call assert_false(filereadable(pwned_file)) + + set tags& + call delete('Xbt_tags') + call delete('Xbt_main.c') + bwipe! +endfunc + " vim: shiftwidth=2 sts=2 expandtab -- 2.54.0