runtime(vimball): detect more path traversal attacks
Commit:
https://github.com/vim/vim/commit/3e194b10685a99a63a2bf4c97beac3541af0c4ac
Author: Christian Brabandt <[email protected]>
Date: Thu Apr 9 18:35:39 2026 +0000
runtime(vimball): detect more path traversal attacks
Signed-off-by: Christian Brabandt <[email protected]>
diff --git a/runtime/autoload/vimball.vim b/runtime/autoload/vimball.vim
index fb4df5eb6..d661ded63 100644
--- a/runtime/autoload/vimball.vim
+++ b/runtime/autoload/vimball.vim
@@ -6,7 +6,8 @@
" GetLatestVimScripts: 1502 1 :AutoInstall: vimball.vim
" Last Change:
" 2025 Feb 28 by Vim Project: add support for bzip3 (#16755)
-" 2026 Apr 05 by Vim Project: Detect Path Traversal Attacks
+" 2026 Apr 05 by Vim Project: Detect path traversal attacks
+" 2026 Apr 09 by Vim Project: Detect more path traversal attacks
" Copyright: (c) 2004-2011 by Charles E. Campbell
" The VIM LICENSE applies to Vimball.vim, and Vimball.txt
" (see |copyright|) except use "Vimball" instead of "Vim".
@@ -229,7 +230,8 @@ fun! vimball#Vimball(really,...)
let fsize = substitute(getline(linenr+1),'^\(\d\+\).\{-}$',' ','')+0
let fenc = substitute(getline(linenr+1),'^\d\+\s*\(\S\{-}\)$',' ','')
let filecnt = filecnt + 1
- if fname =~ '\.\.'
+ " Do not allow a leading / or .. anywhere in the file name
+ if fname =~ '\.\.' || fname =~ '^/'
echomsg "(Vimball) Path Traversal Attack detected, aborting..."
exe "tabn ".curtabnr
bw! Vimball
--
--
You received this message from the "vim_dev" maillist.
Do not top-post! Type your reply below the text you are replying to.
For more information, visit http://www.vim.org/maillist.php
---
You received this message because you are subscribed to the Google Groups
"vim_dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To view this discussion visit
https://groups.google.com/d/msgid/vim_dev/E1wAuNF-00C3ul-IX%40256bit.org.
