patch 9.2.0355: runtime(tar): missing path traversal checks in tar#Extract()
Commit: https://github.com/vim/vim/commit/490b737f3e172c3c66744c7531ee85f19618419d Author: q1uf3ng <[email protected]> Date: Wed Apr 15 18:20:55 2026 +0000 patch 9.2.0355: runtime(tar): missing path traversal checks in tar#Extract() Problem: runtime(tar): missing path traversal checks in tar#Extract() Solution: Add check for leading slash, however gnu tar should already detect this (q1uf3ng) tar#Extract() did not check for ../ sequences or absolute paths, unlike zip#Extract() which was patched in recent commits. Add the same checks: ../ (relative traversal), leading slash (Unix), drive letter and UNC/leading slash (Windows). closes: #19981 Signed-off-by: q1uf3ng <[email protected]> Signed-off-by: Christian Brabandt <[email protected]> diff --git a/runtime/autoload/tar.vim b/runtime/autoload/tar.vim index 722a0ab68..6aa3489e5 100644 --- a/runtime/autoload/tar.vim +++ b/runtime/autoload/tar.vim @@ -23,6 +23,7 @@ " 2026 Apr 06 by Vim Project: fix bugs with lz4 support (#19925) " 2026 Apr 09 by Vim Project: fix bugs with zstd support (#19930) " 2026 Apr 09 by Vim Project: fix bug with dotted filename (#19930) +" 2026 Apr 15 by Vim Project: fix more path traversal issues (#19981) " " Contains many ideas from Michael Toren's <tar.vim> " @@ -612,6 +613,24 @@ fun! tar#Extract() let &report= repkeep return endif + if fname =~ '^[.]\?[.]/' || simplify(fname) =~ '\.\.[/\]' + call s:Msg('tar#Extract', 'error', "Path Traversal Attack detected, not extracting!") + let &report= repkeep + return + endif + if has("unix") + if fname =~ '^/' + call s:Msg('tar#Extract', 'error', "Path Traversal Attack detected, not extracting!") + let &report= repkeep + return + endif + else + if fname =~ '^\%( :[\/]\|[\/]\)' + call s:Msg('tar#Extract', 'error', "Path Traversal Attack detected, not extracting!") + let &report= repkeep + return + endif + endif let extractcmd= s:WinPath(g:tar_extractcmd) let tarball = expand("%") diff --git a/src/testdir/test_plugin_tar.vim b/src/testdir/test_plugin_tar.vim index 80b7a76d6..56f25df2a 100644 --- a/src/testdir/test_plugin_tar.vim +++ b/src/testdir/test_plugin_tar.vim @@ -86,6 +86,11 @@ def g:Test_tar_evil() assert_equal("X.tar", @%) assert_equal(1, b:leading_slash) + ### Press x to extract + :6 + var mess = execute(":normal x", '') + assert_match('(tar#Extract) Path Traversal Attack detected, not extracting!', mess) + ### Check ENTER on file :6 exe ":normal \<cr>" diff --git a/src/version.c b/src/version.c index 513632bd8..c0f826a17 100644 --- a/src/version.c +++ b/src/version.c @@ -734,6 +734,8 @@ static char *(features[]) = static int included_patches[] = { /* Add new patch number below this line */ +/**/ + 355, /**/ 354, /**/ -- -- You received this message from the "vim_dev" maillist. Do not top-post! Type your reply below the text you are replying to. For more information, visit http://www.vim.org/maillist.php --- You received this message because you are subscribed to the Google Groups "vim_dev" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion visit https://groups.google.com/d/msgid/vim_dev/E1wD5EW-004RKT-4e%40256bit.org.
