Commit: patch 9.2.0202: [security]: command injection via newline in glob()
3 views
Skip to first unread message
Christian Brabandt
Mar 19, 2026, 4:17:06 PM (4 days ago) Mar 19
to vim...@googlegroups.com
patch 9.2.0202: [security]: command injection via newline in glob()
Commit: https://github.com/vim/vim/commit/645ed6597d1ea896c712cd7ddbb6edee79577e9a
Author: pyllyukko <pyll...@maimed.org>
Date: Thu Mar 19 19:58:05 2026 +0000
patch 9.2.0202: [security]: command injection via newline in glob()
Problem: The glob() function on Unix-like systems does not escape
newline characters when expanding wildcards. A maliciously
crafted string containing '
' can be used as a command
separator to execute arbitrary shell commands via
mch_expand_wildcards(). This depends on the user's 'shell'
setting.
Solution: Add the newline character ('
') to the SHELL_SPECIAL
definition to ensure it is properly escaped before being
passed to the shell (pyllyukko).
closes: #19746
Github Advisory:
https://github.com/vim/vim/security/advisories/GHSA-w5jw-f54h-x46c
Signed-off-by: pyllyukko <pyll...@maimed.org>
Signed-off-by: Christian Brabandt <c...@256bit.org>
diff --git a/src/os_unix.c b/src/os_unix.c
index 03f764909..91bfd63d0 100644
--- a/src/os_unix.c
+++ b/src/os_unix.c
@@ -7075,7 +7075,7 @@ mch_expandpath(
# define SEEK_END 2
# endif
-# define SHELL_SPECIAL (char_u *)" \"&'$;<>()\|"
+# define SHELL_SPECIAL (char_u *)" \"&'$;<>()\|
"
int
mch_expand_wildcards(
diff --git a/src/version.c b/src/version.c
index f4d0d87ae..79de52f6a 100644
--- a/src/version.c
+++ b/src/version.c
@@ -734,6 +734,8 @@ static char *(features[]) =
static int included_patches[] =
{ /* Add new patch number below this line */
+/**/
+ 202,
/**/
201,
/**/
Commit: https://github.com/vim/vim/commit/645ed6597d1ea896c712cd7ddbb6edee79577e9a
Author: pyllyukko <pyll...@maimed.org>
Date: Thu Mar 19 19:58:05 2026 +0000
patch 9.2.0202: [security]: command injection via newline in glob()
Problem: The glob() function on Unix-like systems does not escape
newline characters when expanding wildcards. A maliciously
crafted string containing '
' can be used as a command
separator to execute arbitrary shell commands via
mch_expand_wildcards(). This depends on the user's 'shell'
setting.
Solution: Add the newline character ('
') to the SHELL_SPECIAL
definition to ensure it is properly escaped before being
passed to the shell (pyllyukko).
closes: #19746
Github Advisory:
https://github.com/vim/vim/security/advisories/GHSA-w5jw-f54h-x46c
Signed-off-by: pyllyukko <pyll...@maimed.org>
Signed-off-by: Christian Brabandt <c...@256bit.org>
diff --git a/src/os_unix.c b/src/os_unix.c
index 03f764909..91bfd63d0 100644
--- a/src/os_unix.c
+++ b/src/os_unix.c
@@ -7075,7 +7075,7 @@ mch_expandpath(
# define SEEK_END 2
# endif
-# define SHELL_SPECIAL (char_u *)" \"&'$;<>()\|"
+# define SHELL_SPECIAL (char_u *)" \"&'$;<>()\|
"
int
mch_expand_wildcards(
diff --git a/src/version.c b/src/version.c
index f4d0d87ae..79de52f6a 100644
--- a/src/version.c
+++ b/src/version.c
@@ -734,6 +734,8 @@ static char *(features[]) =
static int included_patches[] =
{ /* Add new patch number below this line */
+/**/
+ 202,
/**/
201,
/**/
Reply all
Reply to author
Forward
0 new messages