runtime(zip): also block single leading slash and absolute paths in Extract
Commit: https://github.com/vim/vim/commit/351a16c88f56aeeca5e06095624dd701b264b2a9 Author: q1uf3ng <[email protected]> Date: Wed Apr 15 04:03:02 2026 +0000 runtime(zip): also block single leading slash and absolute paths in Extract zip#Write(): the Windows path check did not match a single leading slash (/path), which resolves to the current drive root on Windows. Simplify the regex to match any leading slash or backslash. zip#Extract(): add absolute path checks for both Unix and Windows, matching the existing checks in zip#Write(). closes: #19976 Signed-off-by: q1uf3ng <[email protected]> Signed-off-by: Christian Brabandt <[email protected]> diff --git a/runtime/autoload/zip.vim b/runtime/autoload/zip.vim index 6a2d6daa3..aad548239 100644 --- a/runtime/autoload/zip.vim +++ b/runtime/autoload/zip.vim @@ -23,6 +23,7 @@ " 2026 Apr 01 by Vim Project: Detect more path traversal attacks " 2026 Apr 05 by Vim Project: Detect more path traversal attacks " 2026 Apr 14 by Vim Project: Detect more path traversal attacks on Windows +" 2026 Apr 15 by Vim Project: Detect more path traversal attacks on Windows " License: Vim License (see vim's :help license) " Copyright: Copyright (C) 2005-2019 Charles E. Campbell {{{1 " Permission is hereby granted to use and distribute this code, @@ -406,8 +407,8 @@ fun! zip#Write(fname) else let zipfile = substitute(a:fname,'^.\{-}zipfile://\(.\{-}\)::[^\].*$',' ','') let fname = substitute(a:fname,'^.\{-}zipfile://.\{-}::\([^\].*\)$',' ','') - " fname should not start with drive leter or a UNC path - if fname =~ '^\%(\%( :[\/]\)\|[\/]\{2}\)' + " fname should not start with drive letter, UNC path, or leading slash + if fname =~ '^\%( :[\/]\|[\/]\)' call s:Mess('Error', "***error*** (zip#Write) Path Traversal Attack detected, not writing!") call s:ChgDir(curdir,s:WARNING,"(zip#Write) unable to return to ".curdir."!") return @@ -505,6 +506,18 @@ fun! zip#Extract() call s:Mess('Error', "***error*** (zip#Browse) Path Traversal Attack detected, not extracting!") return endif + " block absolute paths + if has("unix") + if fname =~ '^/' + call s:Mess('Error', "***error*** (zip#Extract) Path Traversal Attack detected, not extracting!") + return + endif + else + if fname =~ '^\%( :[\/]\|[\/]\)' + call s:Mess('Error', "***error*** (zip#Extract) Path Traversal Attack detected, not extracting!") + return + endif + endif if filereadable(fname) call s:Mess('Error', "***error*** (zip#Extract) <" .. fname .."> already exists in directory, not overwriting!") return -- -- You received this message from the "vim_dev" maillist. Do not top-post! Type your reply below the text you are replying to. For more information, visit http://www.vim.org/maillist.php --- You received this message because you are subscribed to the Google Groups "vim_dev" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion visit https://groups.google.com/d/msgid/vim_dev/E1wD2tN-004Gff-OR%40256bit.org.
