" 2026 Apr 01 by Vim Project: Detect more path traversal attacks
" 2026 Apr 05 by Vim Project: Detect more path traversal attacks
" 2026 Apr 14 by Vim Project: Detect more path traversal attacks on Windows
+" 2026 Apr 15 by Vim Project: Detect more path traversal attacks on Windows
" License: Vim License (see vim's :help license)
" Copyright: Copyright (C) 2005-2019 Charles E. Campbell {{{1
" Permission is hereby granted to use and distribute this code,
else
let zipfile = substitute(a:fname,'^.\{-}zipfile://\(.\{-}\)::[^\\].*$','\1','')
let fname = substitute(a:fname,'^.\{-}zipfile://.\{-}::\([^\\].*\)$','\1','')
- " fname should not start with drive leter or a UNC path
- if fname =~ '^\%(\%(\a:[\\/]\)\|[\\/]\{2}\)'
+ " fname should not start with drive letter, UNC path, or leading slash
+ if fname =~ '^\%(\a:[\\/]\|[\\/]\)'
call s:Mess('Error', "***error*** (zip#Write) Path Traversal Attack detected, not writing!")
call s:ChgDir(curdir,s:WARNING,"(zip#Write) unable to return to ".curdir."!")
return
call s:Mess('Error', "***error*** (zip#Browse) Path Traversal Attack detected, not extracting!")
return
endif
+ " block absolute paths
+ if has("unix")
+ if fname =~ '^/'
+ call s:Mess('Error', "***error*** (zip#Extract) Path Traversal Attack detected, not extracting!")
+ return
+ endif
+ else
+ if fname =~ '^\%(\a:[\\/]\|[\\/]\)'
+ call s:Mess('Error', "***error*** (zip#Extract) Path Traversal Attack detected, not extracting!")
+ return
+ endif
+ endif
if filereadable(fname)
call s:Mess('Error', "***error*** (zip#Extract) <" .. fname .."> already exists in directory, not overwriting!")
return
projects / thirdparty / vim.git / commitdiff
