]> git.ipfire.org Git - thirdparty/vim.git/commitdiff
projects / thirdparty / vim.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: 0e02be1)
patch 9.2.0355: runtime(tar): missing path traversal checks in tar#Extract() v9.2.0355
authorq1uf3ng <q1uf3ng@protone.me>
Wed, 15 Apr 2026 18:20:55 +0000 (18:20 +0000)
committerChristian Brabandt <cb@256bit.org>
Wed, 15 Apr 2026 18:36:20 +0000 (18:36 +0000)
Problem:  runtime(tar): missing path traversal checks in tar#Extract()
Solution: Add check for leading slash, however gnu tar should already
          detect this (q1uf3ng)

tar#Extract() did not check for ../ sequences or absolute paths,
unlike zip#Extract() which was patched in recent commits. Add the
same checks: ../ (relative traversal), leading slash (Unix), drive
letter and UNC/leading slash (Windows).

closes: #19981

Signed-off-by: q1uf3ng <q1uf3ng@protone.me>
Signed-off-by: Christian Brabandt <cb@256bit.org>
runtime/autoload/tar.vim patch | blob | blame | history
src/testdir/test_plugin_tar.vim patch | blob | blame | history
src/version.c patch | blob | blame | history

diff --git a/runtime/autoload/tar.vim b/runtime/autoload/tar.vim
index 722a0ab6802dca8ca3f9ead6b077760bd081e4d6..6aa3489e5359b1e9dbcd85b257b1fa1304ba2e9d 100644 (file)
--- a/runtime/autoload/tar.vim
+++ b/runtime/autoload/tar.vim
@@ -23,6 +23,7 @@
 "   2026 Apr 06 by Vim Project: fix bugs with lz4 support (#19925)
 "   2026 Apr 09 by Vim Project: fix bugs with zstd support (#19930)
 "   2026 Apr 09 by Vim Project: fix bug with dotted filename (#19930)
+"   2026 Apr 15 by Vim Project: fix more path traversal issues (#19981)
 "
 "      Contains many ideas from Michael Toren's <tar.vim>
 "
@@ -612,6 +613,24 @@ fun! tar#Extract()
    let &report= repkeep
    return
   endif
+  if fname =~ '^[.]\?[.]/' || simplify(fname) =~ '\.\.[/\\]'
+   call s:Msg('tar#Extract', 'error', "Path Traversal Attack detected, not extracting!")
+   let &report= repkeep
+   return
+  endif
+  if has("unix")
+   if fname =~ '^/'
+    call s:Msg('tar#Extract', 'error', "Path Traversal Attack detected, not extracting!")
+    let &report= repkeep
+    return
+   endif
+  else
+   if fname =~ '^\%(\a:[\\/]\|[\\/]\)'
+    call s:Msg('tar#Extract', 'error', "Path Traversal Attack detected, not extracting!")
+    let &report= repkeep
+    return
+   endif
+  endif
 
   let extractcmd= s:WinPath(g:tar_extractcmd)
   let tarball = expand("%")
diff --git a/src/testdir/test_plugin_tar.vim b/src/testdir/test_plugin_tar.vim
index 80b7a76d6dd1aae7b178fa3e5d45ccc99b18db5d..56f25df2ae27c93a2a4224e955eaf983627f30a0 100644 (file)
--- a/src/testdir/test_plugin_tar.vim
+++ b/src/testdir/test_plugin_tar.vim
@@ -86,6 +86,11 @@ def g:Test_tar_evil()
   assert_equal("X.tar", @%)
   assert_equal(1, b:leading_slash)
 
+  ### Press x to extract
+  :6
+  var mess = execute(":normal x", '')
+  assert_match('(tar#Extract) Path Traversal Attack detected, not extracting!', mess)
+
   ### Check ENTER on file
   :6
   exe ":normal \<cr>"
diff --git a/src/version.c b/src/version.c
index 513632bd8d30d545b5b2a7b9650faacde7bfac4e..c0f826a17dd9a9ac4ffd415541f4a01b67c49a23 100644 (file)
--- a/src/version.c
+++ b/src/version.c
@@ -734,6 +734,8 @@ static char *(features[]) =
 
 static int included_patches[] =
 {   /* Add new patch number below this line */
+/**/
+    355,
 /**/
     354,
 /**/
Mirror of https://github.com/vim/vim.git