Commit: patch 9.2.0089: netrw: does not take port into account in hostname validation
2 views
Skip to first unread message
Christian Brabandt
Mar 1, 2026, 2:46:51 PM (3 days ago) Mar 1
to vim...@googlegroups.com
patch 9.2.0089: netrw: does not take port into account in hostname validation
Commit: https://github.com/vim/vim/commit/a6198523fb28a50d96945458792cdb4787d3cdda
Author: Miguel Barro <miguel...@live.com>
Date: Sun Mar 1 19:32:29 2026 +0000
patch 9.2.0089: netrw: does not take port into account in hostname validation
Problem: netrw: does not take port into account in hostname validation
(after v9.2.0073)
Solution: Update hostname validation check and test for an optional port
number (Miguel Barro)
closes: #19533
Signed-off-by: Miguel Barro <miguel...@live.com>
Signed-off-by: Christian Brabandt <c...@256bit.org>
diff --git a/runtime/pack/dist/opt/netrw/autoload/netrw.vim b/runtime/pack/dist/opt/netrw/autoload/netrw.vim
index 25ca4e8a1..e31b34cb8 100644
--- a/runtime/pack/dist/opt/netrw/autoload/netrw.vim
+++ b/runtime/pack/dist/opt/netrw/autoload/netrw.vim
@@ -21,6 +21,7 @@
" 2026 Feb 15 by Vim Project fix global variable initialization for MS-Windows #19287
" 2026 Feb 21 by Vim Project better absolute path detection on MS-Windows #19477
" 2026 Feb 27 by Vim Project Make the hostname validation more strict
+" 2026 Mar 01 by Vim Project include portnumber in hostname checking #19533
" Copyright: Copyright (C) 2016 Charles E. Campbell {{{1
" Permission is hereby granted to use and distribute this code,
" with or without modifications, provided that this copyright
@@ -2592,7 +2593,8 @@ endfunction
" s:NetrwValidateHostname: Validate that the hostname is valid {{{2
" Input:
-" hostname, may include an optional username, e.g. user@hostname
+" hostname, may include an optional username and port number, e.g.
+" user@hostname:port
" allow a alphanumeric hostname or an IPv(4/6) address
" Output:
" true if g:netrw_machine is valid according to RFC1123 #Section 2
@@ -2601,17 +2603,19 @@ function s:NetrwValidateHostname(hostname)
let user_pat = '\%([a-zA-Z0-9._-]\+@\)\?'
" Hostname: 1-64 chars, alphanumeric/dots/hyphens.
" No underscores. No leading/trailing dots/hyphens.
- let host_pat = '[a-zA-Z0-9]\%([-a-zA-Z0-9.]{,62}[a-zA-Z0-9]\)\?$'
+ let host_pat = '[a-zA-Z0-9]\%([-a-zA-Z0-9.]\{0,62}[a-zA-Z0-9]\)\?'
+ " Port: 16 bit unsigned integer
+ let port_pat = '\%(:\d\{1,5\}\)\?$'
" IPv4: 1-3 digits separated by dots
- let ipv4_pat = '\%(\d\{1,3}\.\)\{3\}\d\{1,3\}$'
+ let ipv4_pat = '\%(\d\{1,3}\.\)\{3\}\d\{1,3\}'
" IPv6: Hex, colons, and optional brackets
- let ipv6_pat = '\[\?\%([a-fA-F0-9:]\{2,}\)\+\]\?$'
+ let ipv6_pat = '\[\?\%([a-fA-F0-9:]\{2,}\)\+\]\?'
- return a:hostname =~? '^'.user_pat.host_pat ||
- \ a:hostname =~? '^'.user_pat.ipv4_pat ||
- \ a:hostname =~? '^'.user_pat.ipv6_pat
+ return a:hostname =~? '^'.user_pat.host_pat.port_pat ||
+ \ a:hostname =~? '^'.user_pat.ipv4_pat.port_pat ||
+ \ a:hostname =~? '^'.user_pat.ipv6_pat.port_pat
endfunction
" NetUserPass: set username and password for subsequent ftp transfer {{{2
diff --git a/src/testdir/test_plugin_netrw.vim b/src/testdir/test_plugin_netrw.vim
index 99dba4b96..a4ab956a0 100644
--- a/src/testdir/test_plugin_netrw.vim
+++ b/src/testdir/test_plugin_netrw.vim
@@ -133,6 +133,11 @@ function Test_NetrwFile(fname) abort
return s:NetrwFile(a:fname)
endfunction
+" Test hostname validation
+function Test_NetrwValidateHostname(hostname) abort
+ return s:NetrwValidateHostname(a:hostname)
+endfunction
+
" }}}
END
@@ -564,6 +569,30 @@ func Test_netrw_reject_evil_hostname()
let msg = execute(':e scp://x;touch RCE;x/dir/')
let msg = split(msg, "
")[-1]
call assert_match('Rejecting invalid hostname', msg)
-endfunction
+endfunc
+
+func Test_netrw_hostname()
+ let valid_hostnames = [
+ \ 'localhost',
+ \ '127.0.0.1',
+ \ '::1',
+ \ '0:0:0:0:0:0:0:1',
+ \ 'user@localhost',
+ \ 'usu...@127.0.0.1',
+ \ 'utilisateur@::1',
+ \ 'benutzer@0:0:0:0:0:0:0:1',
+ \ 'localhost:22',
+ \ '127.0.0.1:80',
+ \ '[::1]:443',
+ \ '[0:0:0:0:0:0:0:1]:5432',
+ \ 'user@localhost:22',
+ \ 'usu...@127.0.0.1:80',
+ \ 'utilisateur@[::1]:443',
+ \ 'benutzer@[0:0:0:0:0:0:0:1]:5432']
+
+ for hostname in valid_hostnames
+ call assert_true(Test_NetrwValidateHostname(hostname), $"Valid hostname {hostname} was rejected")
+ endfor
+endfunc
" vim:ts=8 sts=2 sw=2 et
diff --git a/src/version.c b/src/version.c
index 8dde23bf0..670dc27f6 100644
--- a/src/version.c
+++ b/src/version.c
@@ -734,6 +734,8 @@ static char *(features[]) =
static int included_patches[] =
{ /* Add new patch number below this line */
+/**/
+ 89,
/**/
88,
/**/
Commit: https://github.com/vim/vim/commit/a6198523fb28a50d96945458792cdb4787d3cdda
Author: Miguel Barro <miguel...@live.com>
Date: Sun Mar 1 19:32:29 2026 +0000
patch 9.2.0089: netrw: does not take port into account in hostname validation
Problem: netrw: does not take port into account in hostname validation
(after v9.2.0073)
Solution: Update hostname validation check and test for an optional port
number (Miguel Barro)
closes: #19533
Signed-off-by: Miguel Barro <miguel...@live.com>
Signed-off-by: Christian Brabandt <c...@256bit.org>
diff --git a/runtime/pack/dist/opt/netrw/autoload/netrw.vim b/runtime/pack/dist/opt/netrw/autoload/netrw.vim
index 25ca4e8a1..e31b34cb8 100644
--- a/runtime/pack/dist/opt/netrw/autoload/netrw.vim
+++ b/runtime/pack/dist/opt/netrw/autoload/netrw.vim
@@ -21,6 +21,7 @@
" 2026 Feb 15 by Vim Project fix global variable initialization for MS-Windows #19287
" 2026 Feb 21 by Vim Project better absolute path detection on MS-Windows #19477
" 2026 Feb 27 by Vim Project Make the hostname validation more strict
+" 2026 Mar 01 by Vim Project include portnumber in hostname checking #19533
" Copyright: Copyright (C) 2016 Charles E. Campbell {{{1
" Permission is hereby granted to use and distribute this code,
" with or without modifications, provided that this copyright
@@ -2592,7 +2593,8 @@ endfunction
" s:NetrwValidateHostname: Validate that the hostname is valid {{{2
" Input:
-" hostname, may include an optional username, e.g. user@hostname
+" hostname, may include an optional username and port number, e.g.
+" user@hostname:port
" allow a alphanumeric hostname or an IPv(4/6) address
" Output:
" true if g:netrw_machine is valid according to RFC1123 #Section 2
@@ -2601,17 +2603,19 @@ function s:NetrwValidateHostname(hostname)
let user_pat = '\%([a-zA-Z0-9._-]\+@\)\?'
" Hostname: 1-64 chars, alphanumeric/dots/hyphens.
" No underscores. No leading/trailing dots/hyphens.
- let host_pat = '[a-zA-Z0-9]\%([-a-zA-Z0-9.]{,62}[a-zA-Z0-9]\)\?$'
+ let host_pat = '[a-zA-Z0-9]\%([-a-zA-Z0-9.]\{0,62}[a-zA-Z0-9]\)\?'
+ " Port: 16 bit unsigned integer
+ let port_pat = '\%(:\d\{1,5\}\)\?$'
" IPv4: 1-3 digits separated by dots
- let ipv4_pat = '\%(\d\{1,3}\.\)\{3\}\d\{1,3\}$'
+ let ipv4_pat = '\%(\d\{1,3}\.\)\{3\}\d\{1,3\}'
" IPv6: Hex, colons, and optional brackets
- let ipv6_pat = '\[\?\%([a-fA-F0-9:]\{2,}\)\+\]\?$'
+ let ipv6_pat = '\[\?\%([a-fA-F0-9:]\{2,}\)\+\]\?'
- return a:hostname =~? '^'.user_pat.host_pat ||
- \ a:hostname =~? '^'.user_pat.ipv4_pat ||
- \ a:hostname =~? '^'.user_pat.ipv6_pat
+ return a:hostname =~? '^'.user_pat.host_pat.port_pat ||
+ \ a:hostname =~? '^'.user_pat.ipv4_pat.port_pat ||
+ \ a:hostname =~? '^'.user_pat.ipv6_pat.port_pat
endfunction
" NetUserPass: set username and password for subsequent ftp transfer {{{2
diff --git a/src/testdir/test_plugin_netrw.vim b/src/testdir/test_plugin_netrw.vim
index 99dba4b96..a4ab956a0 100644
--- a/src/testdir/test_plugin_netrw.vim
+++ b/src/testdir/test_plugin_netrw.vim
@@ -133,6 +133,11 @@ function Test_NetrwFile(fname) abort
return s:NetrwFile(a:fname)
endfunction
+" Test hostname validation
+function Test_NetrwValidateHostname(hostname) abort
+ return s:NetrwValidateHostname(a:hostname)
+endfunction
+
" }}}
END
@@ -564,6 +569,30 @@ func Test_netrw_reject_evil_hostname()
let msg = execute(':e scp://x;touch RCE;x/dir/')
let msg = split(msg, "
")[-1]
call assert_match('Rejecting invalid hostname', msg)
-endfunction
+endfunc
+
+func Test_netrw_hostname()
+ let valid_hostnames = [
+ \ 'localhost',
+ \ '127.0.0.1',
+ \ '::1',
+ \ '0:0:0:0:0:0:0:1',
+ \ 'user@localhost',
+ \ 'usu...@127.0.0.1',
+ \ 'utilisateur@::1',
+ \ 'benutzer@0:0:0:0:0:0:0:1',
+ \ 'localhost:22',
+ \ '127.0.0.1:80',
+ \ '[::1]:443',
+ \ '[0:0:0:0:0:0:0:1]:5432',
+ \ 'user@localhost:22',
+ \ 'usu...@127.0.0.1:80',
+ \ 'utilisateur@[::1]:443',
+ \ 'benutzer@[0:0:0:0:0:0:0:1]:5432']
+
+ for hostname in valid_hostnames
+ call assert_true(Test_NetrwValidateHostname(hostname), $"Valid hostname {hostname} was rejected")
+ endfor
+endfunc
" vim:ts=8 sts=2 sw=2 et
diff --git a/src/version.c b/src/version.c
index 8dde23bf0..670dc27f6 100644
--- a/src/version.c
+++ b/src/version.c
@@ -734,6 +734,8 @@ static char *(features[]) =
static int included_patches[] =
{ /* Add new patch number below this line */
+/**/
+ 89,
/**/
88,
/**/
Reply all
Reply to author
Forward
0 new messages