Commit: patch 9.2.0523: tests: no test for using shellescape() in combination with :!
2 views
Skip to first unread message
Christian Brabandt
May 23, 2026, 3:15:15 PMMay 23
to vim...@googlegroups.com
patch 9.2.0523: tests: no test for using shellescape() in combination with :!
Commit: https://github.com/vim/vim/commit/fccc2adc98c3d6664f1f2d8ddab17b096e647986
Author: Christian Brabandt <c...@256bit.org>
Date: Sat May 23 19:05:28 2026 +0000
patch 9.2.0523: tests: no test for using shellescape() in combination with :!
Problem: tests: no test for using shellescape() in combination with :!
Solution: Add a test that checks runtime files for using wrong
combination of shellescape() with ! ex command
This has lead to a few security relevant issues, so add a test that
checks all runtime files for any ! followed by a shellescape() that does
not use the {special} arg.
related: Commit: 3fb5e58fbc63d86a3e65f1a141b0d67af2 (patch 9.2.0479:
[security]: runtime(tar): command injection in tar plugin)
closes: #20286
Supported by AI
Signed-off-by: Christian Brabandt <c...@256bit.org>
diff --git a/src/testdir/test_codestyle.vim b/src/testdir/test_codestyle.vim
index da08e71ff..1dcca61ea 100644
--- a/src/testdir/test_codestyle.vim
+++ b/src/testdir/test_codestyle.vim
@@ -195,4 +195,27 @@ def Test_indent_of_source_files()
endfor
enddef
+def Test_runtime_wrong_shellescape()
+ # Check that shellescape() is called with the {special} argument (a second,
+ # non-zero argument) when its result is used in a ":!" ex command.
+ # This could cause code injection!
+ var pattern = '\<shellescape(\%([^,()]\|([^()]*)\)\+)'
+
+ var q = "['" .. '"]'
+ var bang_exe = '\<\%(exe\%[cute]\|sil\%[ent]\)\>.*' .. q .. '[^"' .. "']*!"
+
+ var skip = 'getline(".") !~ ' .. string(bang_exe)
+ .. ' || getline(".") =~ ' .. string('\<system\%(list\)\=(')
+ .. ' || getline(".") =~ ' .. string('^\s*"')
+
+ for fpath in glob('../../runtime/**/*.vim', 0, 1)
+ g:ignoreSwapExists = 'e'
+ exe 'edit ' .. fpath
+ PerformCheck(fpath, pattern,
+ 'shellescape() without {special} flag used in ":!" command', skip)
+ endfor
+
+ :%bwipe!
+enddef
+
" vim: shiftwidth=2 sts=2 expandtab nofoldenable
diff --git a/src/version.c b/src/version.c
index 95434f97f..af37e33da 100644
--- a/src/version.c
+++ b/src/version.c
@@ -729,6 +729,8 @@ static char *(features[]) =
static int included_patches[] =
{ /* Add new patch number below this line */
+/**/
+ 523,
/**/
522,
/**/
Commit: https://github.com/vim/vim/commit/fccc2adc98c3d6664f1f2d8ddab17b096e647986
Author: Christian Brabandt <c...@256bit.org>
Date: Sat May 23 19:05:28 2026 +0000
patch 9.2.0523: tests: no test for using shellescape() in combination with :!
Problem: tests: no test for using shellescape() in combination with :!
Solution: Add a test that checks runtime files for using wrong
combination of shellescape() with ! ex command
This has lead to a few security relevant issues, so add a test that
checks all runtime files for any ! followed by a shellescape() that does
not use the {special} arg.
related: Commit: 3fb5e58fbc63d86a3e65f1a141b0d67af2 (patch 9.2.0479:
[security]: runtime(tar): command injection in tar plugin)
closes: #20286
Supported by AI
Signed-off-by: Christian Brabandt <c...@256bit.org>
diff --git a/src/testdir/test_codestyle.vim b/src/testdir/test_codestyle.vim
index da08e71ff..1dcca61ea 100644
--- a/src/testdir/test_codestyle.vim
+++ b/src/testdir/test_codestyle.vim
@@ -195,4 +195,27 @@ def Test_indent_of_source_files()
endfor
enddef
+def Test_runtime_wrong_shellescape()
+ # Check that shellescape() is called with the {special} argument (a second,
+ # non-zero argument) when its result is used in a ":!" ex command.
+ # This could cause code injection!
+ var pattern = '\<shellescape(\%([^,()]\|([^()]*)\)\+)'
+
+ var q = "['" .. '"]'
+ var bang_exe = '\<\%(exe\%[cute]\|sil\%[ent]\)\>.*' .. q .. '[^"' .. "']*!"
+
+ var skip = 'getline(".") !~ ' .. string(bang_exe)
+ .. ' || getline(".") =~ ' .. string('\<system\%(list\)\=(')
+ .. ' || getline(".") =~ ' .. string('^\s*"')
+
+ for fpath in glob('../../runtime/**/*.vim', 0, 1)
+ g:ignoreSwapExists = 'e'
+ exe 'edit ' .. fpath
+ PerformCheck(fpath, pattern,
+ 'shellescape() without {special} flag used in ":!" command', skip)
+ endfor
+
+ :%bwipe!
+enddef
+
" vim: shiftwidth=2 sts=2 expandtab nofoldenable
diff --git a/src/version.c b/src/version.c
index 95434f97f..af37e33da 100644
--- a/src/version.c
+++ b/src/version.c
@@ -729,6 +729,8 @@ static char *(features[]) =
static int included_patches[] =
{ /* Add new patch number below this line */
+/**/
+ 523,
/**/
522,
/**/
Reply all
Reply to author
Forward
0 new messages