summaryrefslogtreecommitdiffstatshomepage
path: root/runtime/lua/vim/provider/python.lua
diff options
context:
space:
mode:
authorzeertzjq <zeertzjq@outlook.com>2026-03-20 08:19:52 +0800
committerGitHub <noreply@github.com>2026-03-20 08:19:52 +0800
commitf577e055221e4cde198401731e9568a9c4b3de50 (patch)
treeecc8ff9f7e0f4e38eceb14e2c6acbb7a509a612d /runtime/lua/vim/provider/python.lua
parenta18d51a9580e4f60c47766bfd8bbded4b465dd73 (diff)
vim-patch:9.2.0202: [security]: command injection via newline in glob() (#38385)
Problem: The glob() function on Unix-like systems does not escape newline characters when expanding wildcards. A maliciously crafted string containing '\n' can be used as a command separator to execute arbitrary shell commands via mch_expand_wildcards(). This depends on the user's 'shell' setting. Solution: Add the newline character ('\n') to the SHELL_SPECIAL definition to ensure it is properly escaped before being passed to the shell (pyllyukko). closes: vim/vim#19746 Github Advisory: https://github.com/vim/vim/security/advisories/GHSA-w5jw-f54h-x46c https://github.com/vim/vim/commit/645ed6597d1ea896c712cd7ddbb6edee79577e9a Co-authored-by: pyllyukko <pyllyukko@maimed.org>
Diffstat (limited to 'runtime/lua/vim/provider/python.lua')
0 files changed, 0 insertions, 0 deletions