From: q1uf3ng <q1uf3ng@protone.me>
Date: Wed, 15 Apr 2026 18:20:55 +0000 (+0000)
Subject: patch 9.2.0355: runtime(tar): missing path traversal checks in tar#Extract()
X-Git-Tag: v9.2.0355^0
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=490b737f3e172c3c66744c7531ee85f19618419d;p=thirdparty%2Fvim.git

patch 9.2.0355: runtime(tar): missing path traversal checks in tar#Extract()

Problem:  runtime(tar): missing path traversal checks in tar#Extract()
Solution: Add check for leading slash, however gnu tar should already
          detect this (q1uf3ng)

tar#Extract() did not check for ../ sequences or absolute paths,
unlike zip#Extract() which was patched in recent commits. Add the
same checks: ../ (relative traversal), leading slash (Unix), drive
letter and UNC/leading slash (Windows).

closes: #19981

Signed-off-by: q1uf3ng <q1uf3ng@protone.me>
Signed-off-by: Christian Brabandt <cb@256bit.org>
---

diff --git a/runtime/autoload/tar.vim b/runtime/autoload/tar.vim
index 722a0ab680..6aa3489e53 100644
--- a/runtime/autoload/tar.vim
+++ b/runtime/autoload/tar.vim
@@ -23,6 +23,7 @@
 "   2026 Apr 06 by Vim Project: fix bugs with lz4 support (#19925)
 "   2026 Apr 09 by Vim Project: fix bugs with zstd support (#19930)
 "   2026 Apr 09 by Vim Project: fix bug with dotted filename (#19930)
+"   2026 Apr 15 by Vim Project: fix more path traversal issues (#19981)
 "
 "	Contains many ideas from Michael Toren's <tar.vim>
 "
@@ -612,6 +613,24 @@ fun! tar#Extract()
    let &report= repkeep
    return
   endif
+  if fname =~ '^[.]\?[.]/' || simplify(fname) =~ '\.\.[/\\]'
+   call s:Msg('tar#Extract', 'error', "Path Traversal Attack detected, not extracting!")
+   let &report= repkeep
+   return
+  endif
+  if has("unix")
+   if fname =~ '^/'
+    call s:Msg('tar#Extract', 'error', "Path Traversal Attack detected, not extracting!")
+    let &report= repkeep
+    return
+   endif
+  else
+   if fname =~ '^\%(\a:[\\/]\|[\\/]\)'
+    call s:Msg('tar#Extract', 'error', "Path Traversal Attack detected, not extracting!")
+    let &report= repkeep
+    return
+   endif
+  endif
 
   let extractcmd= s:WinPath(g:tar_extractcmd)
   let tarball = expand("%")
diff --git a/src/testdir/test_plugin_tar.vim b/src/testdir/test_plugin_tar.vim
index 80b7a76d6d..56f25df2ae 100644
--- a/src/testdir/test_plugin_tar.vim
+++ b/src/testdir/test_plugin_tar.vim
@@ -86,6 +86,11 @@ def g:Test_tar_evil()
   assert_equal("X.tar", @%)
   assert_equal(1, b:leading_slash)
 
+  ### Press x to extract
+  :6
+  var mess = execute(":normal x", '')
+  assert_match('(tar#Extract) Path Traversal Attack detected, not extracting!', mess)
+
   ### Check ENTER on file
   :6
   exe ":normal \<cr>"
diff --git a/src/version.c b/src/version.c
index 513632bd8d..c0f826a17d 100644
--- a/src/version.c
+++ b/src/version.c
@@ -734,6 +734,8 @@ static char *(features[]) =
 
 static int included_patches[] =
 {   /* Add new patch number below this line */
+/**/
+    355,
 /**/
     354,
 /**/