Security Issue: Execute the exe file when opening a file with same filename without file extension

[zeze-zeze]

Hi, we are security researchers from Taiwan.
Here are our github: https://github.com/zeze-zeze、https://github.com/hsuck

Environment:
OS: Windows10 1709
FarManager: v3.0.5861.2321

Reproduce:

1. Place a file in a directory
2. Place an another file with the same filename, but with extension name exe
3. Open FarManager.exe and navigate to the directory
4. Move to the file without extension (not exe) and press enter, and it will execute the exe

Reason:
The project uses Windows API ShellExecute, which executes the exe with the same filename when opening a file without extension by default.

Possible Fix:
I think it should not be the default functionality for the project to do so.
As CVE-2020-35112, it should be handled whenever opening a file without extension, the program will open the explorer toward the file.

Demo Video:
https://drive.google.com/file/d/1RlDF_D8LFRnRLPA5yG_5SKDbII2KLYaL/view?usp=sharing

[alabuzhev]

Hi, thanks for your report.
Should be fixed in 5862 / eaa9244.