Commit: patch 9.2.0480: [security]: runtime(netrw): code injection via mf command
2 views
Skip to first unread message
Christian Brabandt
May 14, 2026, 1:00:13 PM (24 hours ago) May 14
to vim...@googlegroups.com
patch 9.2.0480: [security]: runtime(netrw): code injection via mf command
Commit: https://github.com/vim/vim/commit/8af0f098c3a42a28661d0295364e6e0fd7dbc92c
Author: Christian Brabandt <c...@256bit.org>
Date: Thu May 14 16:43:15 2026 +0000
patch 9.2.0480: [security]: runtime(netrw): code injection via mf command
Problem: [security]: runtime(netrw): code injection via mf command
(Christopher Lusk, Zdenek Dohnal)
Solution: Do not use string concatenation inside the filter() commands
(Zdenek Dohnal)
Github Security Advisory:
https://github.com/vim/vim/security/advisories/GHSA-66hr-7p6x-x5j3
Signed-off-by: Christian Brabandt <c...@256bit.org>
diff --git a/runtime/pack/dist/opt/netrw/autoload/netrw.vim b/runtime/pack/dist/opt/netrw/autoload/netrw.vim
index fbd396566..8681091f0 100644
--- a/runtime/pack/dist/opt/netrw/autoload/netrw.vim
+++ b/runtime/pack/dist/opt/netrw/autoload/netrw.vim
@@ -1,7 +1,7 @@
" Creator: Charles E Campbell
" Previous Maintainer: Luca Saccarola <github...@aleeas.com>
" Maintainer: This runtime file is looking for a new maintainer.
-" Last Change: 2026 May 11
+" Last Change: 2026 May 14
" Copyright: Copyright (C) 2016 Charles E. Campbell {{{1
" Permission is hereby granted to use and distribute this code,
" with or without modifications, provided that this copyright
@@ -5153,7 +5153,7 @@ function s:NetrwMarkFile(islocal,fname)
else
" remove filename from buffer's markfilelist
- call filter(s:netrwmarkfilelist_{curbufnr},'v:val != a:fname')
+ call filter(s:netrwmarkfilelist_{curbufnr}, {_, v -> v !=# a:fname})
if s:netrwmarkfilelist_{curbufnr} == []
" local markfilelist is empty; remove it entirely
call s:NetrwUnmarkList(curbufnr,curdir)
@@ -5174,7 +5174,6 @@ function s:NetrwMarkFile(islocal,fname)
else
" initialize new markfilelist
-
let s:netrwmarkfilelist_{curbufnr}= []
call add(s:netrwmarkfilelist_{curbufnr},substitute(a:fname,'[|@]$','',''))
@@ -5194,7 +5193,7 @@ function s:NetrwMarkFile(islocal,fname)
call add(s:netrwmarkfilelist,netrw#fs#ComposePath(b:netrw_curdir,a:fname))
else
" remove new filename from global markfilelist
- call filter(s:netrwmarkfilelist,'v:val != "'.dname.'"')
+ call filter(s:netrwmarkfilelist, {_, v -> v !=# dname})
if s:netrwmarkfilelist == []
unlet s:netrwmarkfilelist
endif
@@ -7217,7 +7216,7 @@ function s:NetrwTreeDisplay(dir,depth)
" hide given patterns
let listhide= split(g:netrw_list_hide,',')
for pat in listhide
- call filter(w:netrw_treedict[dir],'v:val !~ "'.escape(pat,'\').'"')
+ call filter(w:netrw_treedict[dir], {_, v -> v !~# pat})
endfor
elseif g:netrw_hide == 2
diff --git a/src/testdir/test_plugin_netrw.vim b/src/testdir/test_plugin_netrw.vim
index c6bd589a4..72bf8300e 100644
--- a/src/testdir/test_plugin_netrw.vim
+++ b/src/testdir/test_plugin_netrw.vim
@@ -725,4 +725,19 @@ func Test_netrw_bookmark_marked_file()
bw!
endfunc
+func Test_netrw_mf_command_injection()
+ CheckUnix
+ CheckExecutable touch
+ let path = tempname()
+ let fname = 'x" . execute("silent! !touch poc") . "'
+ call mkdir(path, 'R')
+ exe "cd " path
+ call writefile([], fname)
+ Explore .
+ call search('^x')
+ :norm mf
+ :norm mf
+ call assert_false(filereadable('poc'), 'Command injection via mf command')
+endfunc
+
" vim:ts=8 sts=2 sw=2 et
diff --git a/src/version.c b/src/version.c
index c98028a80..df580d3de 100644
--- a/src/version.c
+++ b/src/version.c
@@ -729,6 +729,8 @@ static char *(features[]) =
static int included_patches[] =
{ /* Add new patch number below this line */
+/**/
+ 480,
/**/
479,
/**/
Commit: https://github.com/vim/vim/commit/8af0f098c3a42a28661d0295364e6e0fd7dbc92c
Author: Christian Brabandt <c...@256bit.org>
Date: Thu May 14 16:43:15 2026 +0000
patch 9.2.0480: [security]: runtime(netrw): code injection via mf command
Problem: [security]: runtime(netrw): code injection via mf command
(Christopher Lusk, Zdenek Dohnal)
Solution: Do not use string concatenation inside the filter() commands
(Zdenek Dohnal)
Github Security Advisory:
https://github.com/vim/vim/security/advisories/GHSA-66hr-7p6x-x5j3
Signed-off-by: Christian Brabandt <c...@256bit.org>
diff --git a/runtime/pack/dist/opt/netrw/autoload/netrw.vim b/runtime/pack/dist/opt/netrw/autoload/netrw.vim
index fbd396566..8681091f0 100644
--- a/runtime/pack/dist/opt/netrw/autoload/netrw.vim
+++ b/runtime/pack/dist/opt/netrw/autoload/netrw.vim
@@ -1,7 +1,7 @@
" Creator: Charles E Campbell
" Previous Maintainer: Luca Saccarola <github...@aleeas.com>
" Maintainer: This runtime file is looking for a new maintainer.
-" Last Change: 2026 May 11
+" Last Change: 2026 May 14
" Copyright: Copyright (C) 2016 Charles E. Campbell {{{1
" Permission is hereby granted to use and distribute this code,
" with or without modifications, provided that this copyright
@@ -5153,7 +5153,7 @@ function s:NetrwMarkFile(islocal,fname)
else
" remove filename from buffer's markfilelist
- call filter(s:netrwmarkfilelist_{curbufnr},'v:val != a:fname')
+ call filter(s:netrwmarkfilelist_{curbufnr}, {_, v -> v !=# a:fname})
if s:netrwmarkfilelist_{curbufnr} == []
" local markfilelist is empty; remove it entirely
call s:NetrwUnmarkList(curbufnr,curdir)
@@ -5174,7 +5174,6 @@ function s:NetrwMarkFile(islocal,fname)
else
" initialize new markfilelist
-
let s:netrwmarkfilelist_{curbufnr}= []
call add(s:netrwmarkfilelist_{curbufnr},substitute(a:fname,'[|@]$','',''))
@@ -5194,7 +5193,7 @@ function s:NetrwMarkFile(islocal,fname)
call add(s:netrwmarkfilelist,netrw#fs#ComposePath(b:netrw_curdir,a:fname))
else
" remove new filename from global markfilelist
- call filter(s:netrwmarkfilelist,'v:val != "'.dname.'"')
+ call filter(s:netrwmarkfilelist, {_, v -> v !=# dname})
if s:netrwmarkfilelist == []
unlet s:netrwmarkfilelist
endif
@@ -7217,7 +7216,7 @@ function s:NetrwTreeDisplay(dir,depth)
" hide given patterns
let listhide= split(g:netrw_list_hide,',')
for pat in listhide
- call filter(w:netrw_treedict[dir],'v:val !~ "'.escape(pat,'\').'"')
+ call filter(w:netrw_treedict[dir], {_, v -> v !~# pat})
endfor
elseif g:netrw_hide == 2
diff --git a/src/testdir/test_plugin_netrw.vim b/src/testdir/test_plugin_netrw.vim
index c6bd589a4..72bf8300e 100644
--- a/src/testdir/test_plugin_netrw.vim
+++ b/src/testdir/test_plugin_netrw.vim
@@ -725,4 +725,19 @@ func Test_netrw_bookmark_marked_file()
bw!
endfunc
+func Test_netrw_mf_command_injection()
+ CheckUnix
+ CheckExecutable touch
+ let path = tempname()
+ let fname = 'x" . execute("silent! !touch poc") . "'
+ call mkdir(path, 'R')
+ exe "cd " path
+ call writefile([], fname)
+ Explore .
+ call search('^x')
+ :norm mf
+ :norm mf
+ call assert_false(filereadable('poc'), 'Command injection via mf command')
+endfunc
+
" vim:ts=8 sts=2 sw=2 et
diff --git a/src/version.c b/src/version.c
index c98028a80..df580d3de 100644
--- a/src/version.c
+++ b/src/version.c
@@ -729,6 +729,8 @@ static char *(features[]) =
static int included_patches[] =
{ /* Add new patch number below this line */
+/**/
+ 480,
/**/
479,
/**/
Reply all
Reply to author
Forward
0 new messages