From: Christian Brabandt <cb@256bit.org>
Date: Sat, 7 Feb 2026 10:12:34 +0000 (+0000)
Subject: runtime(tar): Make the path traversal detection more robust
X-Git-Tag: v9.1.2136~1
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=7ccb81bdb6c5454ff801be11082775ec82a96efc;p=thirdparty%2Fvim.git

runtime(tar): Make the path traversal detection more robust

closes: #19341

Signed-off-by: Christian Brabandt <cb@256bit.org>
---

diff --git a/runtime/autoload/tar.vim b/runtime/autoload/tar.vim
index 944a2ed106..73829a2d5c 100644
--- a/runtime/autoload/tar.vim
+++ b/runtime/autoload/tar.vim
@@ -19,6 +19,7 @@
 "   2025 Jul 13 by Vim Project: warn with path traversal attacks
 "   2025 Jul 16 by Vim Project: update minimum vim version
 "   2026 Feb 06 by Vim Project: consider 'nowrapscan' (#19333)
+"   2026 Feb 07 by Vim Project: make the path traversal detection more robust (#19341)
 "
 "	Contains many ideas from Michael Toren's <tar.vim>
 "
@@ -111,7 +112,7 @@ if !exists("g:tar_shq")
 endif
 
 let g:tar_secure=' -- '
-let g:tar_leading_pat='^\%([.]\{,2\}/\)\+'
+let g:tar_leading_pat='\m^\%([.]\{,2\}/\)\+'
 
 " ----------------
 "  Functions: {{{1
@@ -227,7 +228,7 @@ fun! tar#Browse(tarfile)
 
   " remove tar: Removing leading '/' from member names
   " Note: the message could be localized
-  if search('^tar: ', 'w') > 0 || search(g:tar_leading_pat, 'w') > 0
+  if search('\m^g\?tar: ', 'w') > 0 || search(g:tar_leading_pat, 'w') > 0
     call append(3,'" Note: Path Traversal Attack detected!')
     let b:leading_slash = 1
     " remove the message output