runtime(tar): Make the path traversal detection more robust
Commit:
https://github.com/vim/vim/commit/7ccb81bdb6c5454ff801be11082775ec82a96efc
Author: Christian Brabandt <[email protected]>
Date: Sat Feb 7 10:12:34 2026 +0000
runtime(tar): Make the path traversal detection more robust
closes: https://github.com/vim/vim/issues/19341
Signed-off-by: Christian Brabandt <[email protected]>
diff --git a/runtime/autoload/tar.vim b/runtime/autoload/tar.vim
index 944a2ed10..73829a2d5 100644
--- a/runtime/autoload/tar.vim
+++ b/runtime/autoload/tar.vim
@@ -19,6 +19,7 @@
" 2025 Jul 13 by Vim Project: warn with path traversal attacks
" 2025 Jul 16 by Vim Project: update minimum vim version
" 2026 Feb 06 by Vim Project: consider 'nowrapscan' (#19333)
+" 2026 Feb 07 by Vim Project: make the path traversal detection more robust
(#19341)
"
" Contains many ideas from Michael Toren's <tar.vim>
"
@@ -111,7 +112,7 @@ if !exists("g:tar_shq")
endif
let g:tar_secure=' -- '
-let g:tar_leading_pat='^\%([.]\{,2\}/\)\+'
+let g:tar_leading_pat='\m^\%([.]\{,2\}/\)\+'
" ----------------
" Functions: {{{1
@@ -227,7 +228,7 @@ fun! tar#Browse(tarfile)
" remove tar: Removing leading '/' from member names
" Note: the message could be localized
- if search('^tar: ', 'w') > 0 || search(g:tar_leading_pat, 'w') > 0
+ if search('\m^g\?tar: ', 'w') > 0 || search(g:tar_leading_pat, 'w') > 0
call append(3,'" Note: Path Traversal Attack detected!')
let b:leading_slash = 1
" remove the message output
--
--
You received this message from the "vim_dev" maillist.
Do not top-post! Type your reply below the text you are replying to.
For more information, visit http://www.vim.org/maillist.php
---
You received this message because you are subscribed to the Google Groups
"vim_dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To view this discussion visit
https://groups.google.com/d/msgid/vim_dev/E1vofLH-00HUyo-JV%40256bit.org.
