Commit: patch 9.2.0663: [security]: runtime(netrw): code injection in local file deletion
2 views
Skip to first unread message
Christian Brabandt
Jun 16, 2026, 5:30:14 PM (2 days ago) Jun 16
to vim...@googlegroups.com
patch 9.2.0663: [security]: runtime(netrw): code injection in local file deletion
Commit: https://github.com/vim/vim/commit/55bc757a5d436e59d50fe43f7cda94b118f86cb2
Author: Yasuhiro Matsumoto <matt...@gmail.com>
Date: Tue Jun 16 21:00:28 2026 +0000
patch 9.2.0663: [security]: runtime(netrw): code injection in local file deletion
Problem: [security]: s:NetrwLocalRmFile() escapes only the backslash in
the file name before passing it to :execute, so a name
containing "|" injects arbitrary Ex commands when the file is
deleted (cipher-creator)
Solution: Use fnameescape() to correctly escape the file name
(Yasuhiro Matsumoto).
Github Security Advisory:
https://github.com/vim/vim/security/advisories/GHSA-vhh8-v6wx-hjjh
Supported by AI
Signed-off-by: Yasuhiro Matsumoto <matt...@gmail.com>
Signed-off-by: Christian Brabandt <c...@256bit.org>
diff --git a/runtime/pack/dist/opt/netrw/autoload/netrw.vim b/runtime/pack/dist/opt/netrw/autoload/netrw.vim
index fe8d3f11f..8006837cf 100644
--- a/runtime/pack/dist/opt/netrw/autoload/netrw.vim
+++ b/runtime/pack/dist/opt/netrw/autoload/netrw.vim
@@ -1,7 +1,7 @@
" Creator: Charles E Campbell
" Previous Maintainer: Luca Saccarola <github...@aleeas.com>
" Maintainer: This runtime file is looking for a new maintainer.
-" Last Change: 2026 Jun 10
+" Last Change: 2026 Jun 16
" Copyright: Copyright (C) 2016 Charles E. Campbell {{{1
" Permission is hereby granted to use and distribute this code,
" with or without modifications, provided that this copyright
@@ -3083,7 +3083,7 @@ function s:NetrwBrowse(islocal,dirname)
elseif !a:islocal && dirname !~ '[\/]$' && dirname !~ '^"'
" s:NetrwBrowse : remote regular file handler {{{3
if bufname(dirname) != ""
- exe "NetrwKeepj b ".bufname(dirname)
+ exe "NetrwKeepj b ".fnameescape(bufname(dirname))
else
" attempt transfer of remote regular file
@@ -8800,7 +8800,7 @@ function s:NetrwLocalRmFile(path, fname, all)
call netrw#msg#Notify('ERROR', printf("unable to delete <%s>!", rmfile))
else
" Remove file only if there are no pending changes
- execute printf('silent! bwipeout %s', rmfile)
+ execute printf('silent! bwipeout %s', fnameescape(rmfile))
endif
elseif dir && (all || empty(ok))
diff --git a/src/testdir/test_plugin_netrw.vim b/src/testdir/test_plugin_netrw.vim
index 0cb0c38da..eee5f0984 100644
--- a/src/testdir/test_plugin_netrw.vim
+++ b/src/testdir/test_plugin_netrw.vim
@@ -849,4 +849,24 @@ func Test_netrw_injection()
endtry
endfunc
+" Deleting a file whose name contains an Ex command separator must not let the
+" name inject commands into the :execute in s:NetrwLocalRmFile().
+func Test_netrw_local_rm_injection()
+ CheckUnix
+ let dir = getcwd() . '/Xnetrwrm'
+ let fname = "x|let g:injected = 1"
+ call mkdir(dir, 'pR')
+ call writefile([], dir . '/' . fname)
+ try
+ call netrw#Call('NetrwLocalRmFile', dir, fname, 1)
+ call assert_false(exists('g:injected'), 'filename must not inject Ex commands')
+ " The file is removed before the sink, so its absence also confirms the
+ " vulnerable code path was actually exercised (not skipped on an error).
+ call assert_false(filereadable(dir . '/' . fname), 'crafted file must be deleted')
+ finally
+ call delete(dir . '/' . fname)
+ unlet! g:injected
+ endtry
+endfunc
+
" vim:ts=8 sts=2 sw=2 et
diff --git a/src/version.c b/src/version.c
index 770b0841c..17324c9ae 100644
--- a/src/version.c
+++ b/src/version.c
@@ -759,6 +759,8 @@ static char *(features[]) =
static int included_patches[] =
{ /* Add new patch number below this line */
+/**/
+ 663,
/**/
662,
/**/
Commit: https://github.com/vim/vim/commit/55bc757a5d436e59d50fe43f7cda94b118f86cb2
Author: Yasuhiro Matsumoto <matt...@gmail.com>
Date: Tue Jun 16 21:00:28 2026 +0000
patch 9.2.0663: [security]: runtime(netrw): code injection in local file deletion
Problem: [security]: s:NetrwLocalRmFile() escapes only the backslash in
the file name before passing it to :execute, so a name
containing "|" injects arbitrary Ex commands when the file is
deleted (cipher-creator)
Solution: Use fnameescape() to correctly escape the file name
(Yasuhiro Matsumoto).
Github Security Advisory:
https://github.com/vim/vim/security/advisories/GHSA-vhh8-v6wx-hjjh
Supported by AI
Signed-off-by: Yasuhiro Matsumoto <matt...@gmail.com>
Signed-off-by: Christian Brabandt <c...@256bit.org>
diff --git a/runtime/pack/dist/opt/netrw/autoload/netrw.vim b/runtime/pack/dist/opt/netrw/autoload/netrw.vim
index fe8d3f11f..8006837cf 100644
--- a/runtime/pack/dist/opt/netrw/autoload/netrw.vim
+++ b/runtime/pack/dist/opt/netrw/autoload/netrw.vim
@@ -1,7 +1,7 @@
" Creator: Charles E Campbell
" Previous Maintainer: Luca Saccarola <github...@aleeas.com>
" Maintainer: This runtime file is looking for a new maintainer.
-" Last Change: 2026 Jun 10
+" Last Change: 2026 Jun 16
" Copyright: Copyright (C) 2016 Charles E. Campbell {{{1
" Permission is hereby granted to use and distribute this code,
" with or without modifications, provided that this copyright
@@ -3083,7 +3083,7 @@ function s:NetrwBrowse(islocal,dirname)
elseif !a:islocal && dirname !~ '[\/]$' && dirname !~ '^"'
" s:NetrwBrowse : remote regular file handler {{{3
if bufname(dirname) != ""
- exe "NetrwKeepj b ".bufname(dirname)
+ exe "NetrwKeepj b ".fnameescape(bufname(dirname))
else
" attempt transfer of remote regular file
@@ -8800,7 +8800,7 @@ function s:NetrwLocalRmFile(path, fname, all)
call netrw#msg#Notify('ERROR', printf("unable to delete <%s>!", rmfile))
else
" Remove file only if there are no pending changes
- execute printf('silent! bwipeout %s', rmfile)
+ execute printf('silent! bwipeout %s', fnameescape(rmfile))
endif
elseif dir && (all || empty(ok))
diff --git a/src/testdir/test_plugin_netrw.vim b/src/testdir/test_plugin_netrw.vim
index 0cb0c38da..eee5f0984 100644
--- a/src/testdir/test_plugin_netrw.vim
+++ b/src/testdir/test_plugin_netrw.vim
@@ -849,4 +849,24 @@ func Test_netrw_injection()
endtry
endfunc
+" Deleting a file whose name contains an Ex command separator must not let the
+" name inject commands into the :execute in s:NetrwLocalRmFile().
+func Test_netrw_local_rm_injection()
+ CheckUnix
+ let dir = getcwd() . '/Xnetrwrm'
+ let fname = "x|let g:injected = 1"
+ call mkdir(dir, 'pR')
+ call writefile([], dir . '/' . fname)
+ try
+ call netrw#Call('NetrwLocalRmFile', dir, fname, 1)
+ call assert_false(exists('g:injected'), 'filename must not inject Ex commands')
+ " The file is removed before the sink, so its absence also confirms the
+ " vulnerable code path was actually exercised (not skipped on an error).
+ call assert_false(filereadable(dir . '/' . fname), 'crafted file must be deleted')
+ finally
+ call delete(dir . '/' . fname)
+ unlet! g:injected
+ endtry
+endfunc
+
" vim:ts=8 sts=2 sw=2 et
diff --git a/src/version.c b/src/version.c
index 770b0841c..17324c9ae 100644
--- a/src/version.c
+++ b/src/version.c
@@ -759,6 +759,8 @@ static char *(features[]) =
static int included_patches[] =
{ /* Add new patch number below this line */
+/**/
+ 663,
/**/
662,
/**/
Reply all
Reply to author
Forward
0 new messages