From: Christian Brabandt <cb@256bit.org>
Date: Sat, 23 May 2026 19:05:28 +0000 (+0000)
Subject: patch 9.2.0523: tests: no test for using shellescape() in combination with :!
X-Git-Tag: v9.2.0523^0
X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=fccc2adc98c3d6664f1f2d8ddab17b096e647986;p=thirdparty%2Fvim.git

patch 9.2.0523: tests: no test for using shellescape() in combination with :!

Problem:  tests: no test for using shellescape() in combination with :!
Solution: Add a test that checks runtime files for using wrong
          combination of shellescape() with ! ex command

This has lead to a few security relevant issues, so add a test that
checks all runtime files for any ! followed by a shellescape() that does
not use the {special} arg.

related: Commit: 3fb5e58fbc63d86a3e65f1a141b0d67af2 (patch 9.2.0479:
         [security]: runtime(tar): command injection in tar plugin)

closes: #20286

Supported by AI

Signed-off-by: Christian Brabandt <cb@256bit.org>
---

diff --git a/src/testdir/test_codestyle.vim b/src/testdir/test_codestyle.vim
index da08e71ffd..1dcca61eab 100644
--- a/src/testdir/test_codestyle.vim
+++ b/src/testdir/test_codestyle.vim
@@ -195,4 +195,27 @@ def Test_indent_of_source_files()
   endfor
 enddef
 
+def Test_runtime_wrong_shellescape()
+  # Check that shellescape() is called with the {special} argument (a second,
+  # non-zero argument) when its result is used in a ":!" ex command.
+  # This could cause code injection!
+  var pattern = '\<shellescape(\%([^,()]\|([^()]*)\)\+)'
+
+  var q = "['" .. '"]'
+  var bang_exe = '\<\%(exe\%[cute]\|sil\%[ent]\)\>.*' .. q .. '[^"' .. "']*!"
+
+  var skip = 'getline(".") !~ ' .. string(bang_exe)
+    .. ' || getline(".") =~ ' .. string('\<system\%(list\)\=(')
+    .. ' || getline(".") =~ ' .. string('^\s*"')
+
+  for fpath in glob('../../runtime/**/*.vim', 0, 1)
+    g:ignoreSwapExists = 'e'
+    exe 'edit ' .. fpath
+    PerformCheck(fpath, pattern,
+      'shellescape() without {special} flag used in ":!" command', skip)
+  endfor
+
+  :%bwipe!
+enddef
+
 " vim: shiftwidth=2 sts=2 expandtab nofoldenable
diff --git a/src/version.c b/src/version.c
index 95434f97f8..af37e33da1 100644
--- a/src/version.c
+++ b/src/version.c
@@ -729,6 +729,8 @@ static char *(features[]) =
 
 static int included_patches[] =
 {   /* Add new patch number below this line */
+/**/
+    523,
 /**/
     522,
 /**/