" s:NetrwMaps: {{{2
function s:NetrwMaps(islocal)
+ " remove B flag from 'cpo' so that \<CR>, \<Bar>, etc. inside
+ " interpolated path names play back as literal text rather than
+ " the actual key — without this, a crafted directory name can
+ " inject keystrokes into the cmdline the mapping is typing
+ let _cpo = &cpo
+ set cpo-=B
" mouse <Plug> maps: {{{3
if g:netrw_mousemaps && g:netrw_retmap
" support user-specified maps
call netrw#UserMaps(0)
endif " }}}3
+ let &cpo = _cpo
endfunction
" s:NetrwCommands: set up commands {{{2
let path = tempname()
let fname = 'x" . execute("silent! !touch poc") . "'
call mkdir(path, 'R')
+ let _cwd = getcwd()
exe "cd " path
call writefile([], fname)
Explore .
:norm mf
:norm mf
call assert_false(filereadable('poc'), 'Command injection via mf command')
+ exe "cd " _cwd
+ bw!
endfunc
+function Test_netrw_NetrwMaps_CR_dirname()
+ CheckNotMSWindows
+
+ let tmpdir = tempname() . '/evil<CR>:let g:netrw_pwn=1<CR>'
+ call mkdir(tmpdir, 'pR')
+ call assert_true(isdirectory(tmpdir))
+ exe ":Explore " tmpdir
+ " Fire D
+ " If the commands are injected successfully,
+ " this fails with
+ " Vim(let):E488: Trailing characters: \ @ command line script
+ call feedkeys("D\<C-c>\<C-c>", "xt")
+ call assert_false(exists("g:netrw_pwn"))
+
+ unlet! g:netrw_pwn
+ bw!
+endfunction
" vim:ts=8 sts=2 sw=2 et
projects / thirdparty / vim.git / commitdiff
