while linenr <= a:line2
let svfile = getline(linenr)
-
+
if !filereadable(svfile)
call vimball#ShowMesg(s:ERROR,"unable to read file<".svfile.">")
call s:ChgDir(curdir)
call vimball#RestoreSettings()
return
endif
-
+
" create/switch to mkvimball tab
if !exists("vbtabnr")
tabnew
else
exe "tabn ".vbtabnr
endif
-
+
let lastline= line("$") + 1
if lastline == 2 && getline("$") == ""
call setline(1,'" Vimball Archiver by Charles E. Campbell')
" ---------------------------------------------------------------------
" vimball#Vimball: extract and distribute contents from a vimball {{{2
-" (invoked the the UseVimball command embedded in
+" (invoked the the UseVimball command embedded in
" vimballs' prologue)
fun! vimball#Vimball(really,...)
" give title to listing of (extracted) files from Vimball Archive
if a:really
echohl Title | echomsg "Vimball Archive" | echohl None
- else
+ else
echohl Title | echomsg "Vimball Archive Listing" | echohl None
echohl Statement | echomsg "files would be placed under: ".home | echohl None
endif
bw! Vimball
call s:ChgDir(curdir)
return
+ " Also, disallow strange paths, that could lead to code execution from
+ " .VimballRecord
+ " Disallow: pipe, quotes and closing paren
+ elseif fname =~ '[|'')"]'
+ echomsg printf("(Vimball) Forbidding strange filename: '%s', aborting...", fname)
+ exe "tabn ".curtabnr
+ bw! Vimball
+ call s:ChgDir(curdir)
+ return
endif
if a:really
exe "silent w! ".fnameescape(fnamepath)
endif
echo "wrote ".fnameescape(fnamepath)
- call s:RecordInVar(home,"call delete('".fnamepath."')")
+ call s:RecordInVar(home,"call delete('".escape(fnamepath, '"''|')."')")
endif
" return to tab with vimball
call s:ChgDir(home)
if filereadable(".VimballRecord")
- keepalt keepjumps 1split
+ keepalt keepjumps 1split
sil! keepalt keepjumps e .VimballRecord
let keepsrch= @/
if search('^\M'.curfile."\m: ".'cw')
if exists("s:recordfile") || exists("s:recorddir")
let curdir= getcwd()
call s:ChgDir(a:home)
- keepalt keepjumps 1split
+ keepalt keepjumps 1split
let cmd= expand("%:tr").": "
call assert_match('(Vimball) Path Traversal Attack detected, aborting\.\.\.', mess)
call s:teardown()
endfunc
+
+func Test_vimball_evil_filenames()
+ call s:Mkvimball()
+ call delete('XVimball', 'rf')
+ sp Xtest.vmb
+ 4s#XVimball#pwn')#
+ so %
+ call feedkeys("\<cr>", "it")
+
+ let mess = execute(':mess')->split('\n')[-1]
+ call assert_match('(Vimball) Forbidding strange filename:.* aborting\.\.\.', mess)
+ call s:teardown()
+endfunc
projects / thirdparty / vim.git / commitdiff
