runtime(netrw): use fnameescape() with FileUrlEdit()

Signed-off-by: Christian Brabandt <cb@256bit.org>

diff --git a/runtime/pack/dist/opt/netrw/autoload/netrw.vim b/runtime/pack/dist/opt/netrw/autoload/netrw.vim
index e31b34cb87467067a8679ee01a96b1b6e9b74a17..1520ff969e2db4592f4d627b808149b09c71e1af 100644 (file)
--- a/runtime/pack/dist/opt/netrw/autoload/netrw.vim
+++ b/runtime/pack/dist/opt/netrw/autoload/netrw.vim
@@ -22,6 +22,7 @@
 " 2026 Feb 21 by Vim Project better absolute path detection on MS-Windows #19477
 " 2026 Feb 27 by Vim Project Make the hostname validation more strict
 " 2026 Mar 01 by Vim Project include portnumber in hostname checking #19533
+" 2026 Apr 01 by Vim Project use fnameescape() with netrw#FileUrlEdit()
 " Copyright:  Copyright (C) 2016 Charles E. Campbell {{{1
 "             Permission is hereby granted to use and distribute this code,
 "             with or without modifications, provided that this copyright
@@ -8282,7 +8283,7 @@ function netrw#FileUrlEdit(fname)
     endif
 
     exe "sil doau BufReadPre ".fname2396e
-    exe 'NetrwKeepj keepalt edit '.plainfname
+    exe 'NetrwKeepj keepalt edit '. fnameescape(plainfname)
     exe 'sil! NetrwKeepj keepalt bdelete '.fnameescape(a:fname)
 
     exe "sil doau BufReadPost ".fname2396e

diff --git a/src/testdir/test_plugin_netrw.vim b/src/testdir/test_plugin_netrw.vim
index ced6284197aaf298d42e49187c72f268a5f9681c..478908824bc4a343aae436dd8d24880f252e50f1 100644 (file)
--- a/src/testdir/test_plugin_netrw.vim
+++ b/src/testdir/test_plugin_netrw.vim
@@ -595,4 +595,12 @@ func Test_netrw_hostname()
   endfor
 endfunc
 
+func Test_netrw_FileUrlEdit_pipe_injection()
+  CheckExecutable id
+  let fname = 'Xtestfile'
+  let url = 'file:///tmp/file.md%7C!id>'..fname
+  sil call netrw#FileUrlEdit(url)
+  call assert_false(filereadable(fname), 'Command injection via pipe in file URL')
+endfunc
+
 " vim:ts=8 sts=2 sw=2 et