runtime(netrw): use fnameescape() with FileUrlEdit()

chrisbra · chrisbra · commit 3e60f03d942d · 2026-04-01T14:47:16.000Z
Signed-off-by: Christian Brabandt &lt;cb@256bit.org&gt;
diff --git a/runtime/pack/dist/opt/netrw/autoload/netrw.vim b/runtime/pack/dist/opt/netrw/autoload/netrw.vim
@@ -22,6 +22,7 @@
 " 2026 Feb 21 by Vim Project better absolute path detection on MS-Windows #19477
 " 2026 Feb 27 by Vim Project Make the hostname validation more strict
 " 2026 Mar 01 by Vim Project include portnumber in hostname checking #19533
+" 2026 Apr 01 by Vim Project use fnameescape() with netrw#FileUrlEdit()
 " Copyright:  Copyright (C) 2016 Charles E. Campbell {{{1
 "             Permission is hereby granted to use and distribute this code,
 "             with or without modifications, provided that this copyright
@@ -8282,7 +8283,7 @@ function netrw#FileUrlEdit(fname)
     endif
 
     exe "sil doau BufReadPre ".fname2396e
-    exe 'NetrwKeepj keepalt edit '.plainfname
+    exe 'NetrwKeepj keepalt edit '. fnameescape(plainfname)
     exe 'sil! NetrwKeepj keepalt bdelete '.fnameescape(a:fname)
 
     exe "sil doau BufReadPost ".fname2396e
diff --git a/src/testdir/test_plugin_netrw.vim b/src/testdir/test_plugin_netrw.vim
@@ -595,4 +595,12 @@ func Test_netrw_hostname()
   endfor
 endfunc
 
+func Test_netrw_FileUrlEdit_pipe_injection()
+  CheckExecutable id
+  let fname = 'Xtestfile'
+  let url = 'file:///tmp/file.md%7C!id>'..fname
+  sil call netrw#FileUrlEdit(url)
+  call assert_false(filereadable(fname), 'Command injection via pipe in file URL')
+endfunc
+
 " vim:ts=8 sts=2 sw=2 et
