41 lines
1.3 KiB
Diff
41 lines
1.3 KiB
Diff
From 645ed6597d1ea896c712cd7ddbb6edee79577e9a Mon Sep 17 00:00:00 2001
|
|
From: pyllyukko <pyllyukko@maimed.org>
|
|
Date: Thu, 19 Mar 2026 19:58:05 +0000
|
|
Subject: [PATCH] patch 9.2.0202: [security]: command injection via newline in
|
|
glob()
|
|
|
|
Problem: The glob() function on Unix-like systems does not escape
|
|
newline characters when expanding wildcards. A maliciously
|
|
crafted string containing '\n' can be used as a command
|
|
separator to execute arbitrary shell commands via
|
|
mch_expand_wildcards(). This depends on the user's 'shell'
|
|
setting.
|
|
Solution: Add the newline character ('\n') to the SHELL_SPECIAL
|
|
definition to ensure it is properly escaped before being
|
|
passed to the shell (pyllyukko).
|
|
|
|
closes: #19746
|
|
|
|
Github Advisory:
|
|
https://github.com/vim/vim/security/advisories/GHSA-w5jw-f54h-x46c
|
|
|
|
Signed-off-by: pyllyukko <pyllyukko@maimed.org>
|
|
Signed-off-by: Christian Brabandt <cb@256bit.org>
|
|
---
|
|
src/os_unix.c | 2 +-
|
|
1 file changed, 1 insertion(+), 1 deletion(-)
|
|
|
|
diff --git a/src/os_unix.c b/src/os_unix.c
|
|
index 03f7649090c96..91bfd63d0dcb2 100644
|
|
--- a/src/os_unix.c
|
|
+++ b/src/os_unix.c
|
|
@@ -6772,7 +6772,7 @@ mch_expand_wildcards(
|
|
# define SEEK_END 2
|
|
#endif
|
|
|
|
-#define SHELL_SPECIAL (char_u *)"\t \"&'$;<>()\\|"
|
|
+#define SHELL_SPECIAL (char_u *)"\t \"&'$;<>()\\|\n"
|
|
|
|
int
|
|
mch_expand_wildcards(
|