From: Christian Brabandt <cb@256bit.org>
Date: Thu, 9 Apr 2026 18:35:39 +0000 (+0000)
Subject: runtime(vimball): detect more path traversal attacks
X-Git-Tag: v9.2.0324~4
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=3e194b10685a99a63a2bf4c97beac3541af0c4ac;p=thirdparty%2Fvim.git

runtime(vimball): detect more path traversal attacks

Signed-off-by: Christian Brabandt <cb@256bit.org>
---

diff --git a/runtime/autoload/vimball.vim b/runtime/autoload/vimball.vim
index fb4df5eb66..d661ded631 100644
--- a/runtime/autoload/vimball.vim
+++ b/runtime/autoload/vimball.vim
@@ -6,7 +6,8 @@
 " GetLatestVimScripts: 1502 1 :AutoInstall: vimball.vim
 "  Last Change:
 "   2025 Feb 28 by Vim Project: add support for bzip3 (#16755)
-"   2026 Apr 05 by Vim Project: Detect Path Traversal Attacks
+"   2026 Apr 05 by Vim Project: Detect path traversal attacks
+"   2026 Apr 09 by Vim Project: Detect more path traversal attacks
 " Copyright: (c) 2004-2011 by Charles E. Campbell
 "            The VIM LICENSE applies to Vimball.vim, and Vimball.txt
 "            (see |copyright|) except use "Vimball" instead of "Vim".
@@ -229,7 +230,8 @@ fun! vimball#Vimball(really,...)
    let fsize   = substitute(getline(linenr+1),'^\(\d\+\).\{-}$','\1','')+0
    let fenc    = substitute(getline(linenr+1),'^\d\+\s*\(\S\{-}\)$','\1','')
    let filecnt = filecnt + 1
-   if fname =~ '\.\.'
+   " Do not allow a leading / or .. anywhere in the file name
+   if fname =~ '\.\.' || fname =~ '^/'
      echomsg "(Vimball) Path Traversal Attack detected, aborting..."
      exe "tabn ".curtabnr
      bw! Vimball