runtime(tar): missing g:tar_secure in tar#Extract()

Signed-off-by: Christian Brabandt <cb@256bit.org>

diff --git a/runtime/autoload/tar.vim b/runtime/autoload/tar.vim
index 6aa3489e5359b1e9dbcd85b257b1fa1304ba2e9d..1347371b5145ab2b2be920d9f55b662c31ec4ba7 100644 (file)
--- a/runtime/autoload/tar.vim
+++ b/runtime/autoload/tar.vim
@@ -24,6 +24,7 @@
 "   2026 Apr 09 by Vim Project: fix bugs with zstd support (#19930)
 "   2026 Apr 09 by Vim Project: fix bug with dotted filename (#19930)
 "   2026 Apr 15 by Vim Project: fix more path traversal issues (#19981)
+"   2026 Apr 16 by Vim Project: use g:tar_secure in tar#Extract()
 "
 "      Contains many ideas from Michael Toren's <tar.vim>
 "
@@ -640,7 +641,7 @@ fun! tar#Extract()
   endif
 
   if tarball =~# "\.tar$"
-   call system(extractcmd." ".shellescape(tarball)." ".shellescape(fname))
+   call system(extractcmd." ".shellescape(tarball)." ".g:tar_secure.shellescape(fname))
    if v:shell_error != 0
     call s:Msg('tar#Extract', 'error', $"{extractcmd} {tarball} {fname}: failed!")
    else
@@ -649,7 +650,7 @@ fun! tar#Extract()
 
   elseif tarball =~# "\.tgz$"
    let extractcmd= substitute(extractcmd,"-","-z","")
-   call system(extractcmd." ".shellescape(tarball)." ".shellescape(fname))
+   call system(extractcmd." ".shellescape(tarball)." ".g:tar_secure.shellescape(fname))
    if v:shell_error != 0
     call s:Msg('tar#Extract', 'error', $"{extractcmd} {tarball} {fname}: failed!")
    else
@@ -658,7 +659,7 @@ fun! tar#Extract()
 
   elseif tarball =~# "\.tar\.gz$"
    let extractcmd= substitute(extractcmd,"-","-z","")
-   call system(extractcmd." ".shellescape(tarball)." ".shellescape(fname))
+   call system(extractcmd." ".shellescape(tarball)." ".g:tar_secure.shellescape(fname))
    if v:shell_error != 0
     call s:Msg('tar#Extract', 'error', $"{extractcmd} {tarball} {fname}: failed!")
    else
@@ -667,7 +668,7 @@ fun! tar#Extract()
 
   elseif tarball =~# "\.tbz$"
    let extractcmd= substitute(extractcmd,"-","-j","")
-   call system(extractcmd." ".shellescape(tarball)." ".shellescape(fname))
+   call system(extractcmd." ".shellescape(tarball)." ".g:tar_secure.shellescape(fname))
    if v:shell_error != 0
     call s:Msg('tar#Extract', 'error', $"{extractcmd} {tarball} {fname}: failed!")
    else
@@ -676,7 +677,7 @@ fun! tar#Extract()
 
   elseif tarball =~# "\.tar\.bz2$"
    let extractcmd= substitute(extractcmd,"-","-j","")
-   call system(extractcmd." ".shellescape(tarball)." ".shellescape(fname))
+   call system(extractcmd." ".shellescape(tarball)." ".g:tar_secure.shellescape(fname))
    if v:shell_error != 0
     call s:Msg('tar#Extract', 'error', $"{extractcmd} {tarball} {fname}: failed!")
    else
@@ -685,7 +686,7 @@ fun! tar#Extract()
 
   elseif tarball =~# "\.tar\.bz3$"
    let extractcmd= substitute(extractcmd,"-","-j","")
-   call system(extractcmd." ".shellescape(tarball)." ".shellescape(fname))
+   call system(extractcmd." ".shellescape(tarball)." ".g:tar_secure.shellescape(fname))
    if v:shell_error != 0
     call s:Msg('tar#Extract', 'error', $"{extractcmd} {tarball} {fname}: failed!")
    else
@@ -694,7 +695,7 @@ fun! tar#Extract()
 
   elseif tarball =~# "\.txz$"
    let extractcmd= substitute(extractcmd,"-","-J","")
-   call system(extractcmd." ".shellescape(tarball)." ".shellescape(fname))
+   call system(extractcmd." ".shellescape(tarball)." ".g:tar_secure.shellescape(fname))
    if v:shell_error != 0
     call s:Msg('tar#Extract', 'error', $"{extractcmd} {tarball} {fname}: failed!")
    else
@@ -703,7 +704,7 @@ fun! tar#Extract()
 
   elseif tarball =~# "\.tar\.xz$"
    let extractcmd= substitute(extractcmd,"-","-J","")
-   call system(extractcmd." ".shellescape(tarball)." ".shellescape(fname))
+   call system(extractcmd." ".shellescape(tarball)." ".g:tar_secure.shellescape(fname))
    if v:shell_error != 0
     call s:Msg('tar#Extract', 'error', $"{extractcmd} {tarball} {fname}: failed!")
    else
@@ -712,7 +713,7 @@ fun! tar#Extract()
 
   elseif tarball =~# "\.tzst$"
    let extractcmd= substitute(extractcmd,"-","--zstd -","")
-   call system(extractcmd." ".shellescape(tarball)." ".shellescape(fname))
+   call system(extractcmd." ".shellescape(tarball)." ".g:tar_secure.shellescape(fname))
    if v:shell_error != 0
     call s:Msg('tar#Extract', 'error', $"{extractcmd} {tarball} {fname}: failed!")
    else
@@ -721,7 +722,7 @@ fun! tar#Extract()
 
   elseif tarball =~# "\.tar\.zst$"
    let extractcmd= substitute(extractcmd,"-","--zstd -","")
-   call system(extractcmd." ".shellescape(tarball)." ".shellescape(fname))
+   call system(extractcmd." ".shellescape(tarball)." ".g:tar_secure.shellescape(fname))
    if v:shell_error != 0
     call s:Msg('tar#Extract', 'error', $"{extractcmd} {tarball} {fname}: failed!")
    else
@@ -732,7 +733,7 @@ fun! tar#Extract()
    if has("linux")
     let extractcmd= substitute(extractcmd,"-","-I lz4 -","")
    endif
-   call system(extractcmd." ".shellescape(tarball)." ".shellescape(fname))
+   call system(extractcmd." ".shellescape(tarball)." ".g:tar_secure.shellescape(fname))
    if v:shell_error != 0
     call s:Msg('tar#Extract', 'error', $"{extractcmd} {tarball} {fname}: failed!")
    else
@@ -743,7 +744,7 @@ fun! tar#Extract()
    if has("linux")
     let extractcmd= substitute(extractcmd,"-","-I lz4 -","")
    endif
-   call system(extractcmd." ".shellescape(tarball)." ".shellescape(fname))
+   call system(extractcmd." ".shellescape(tarball)." ".g:tar_secure.shellescape(fname))
    if v:shell_error != 0
     call s:Msg('tar#Extract', 'error', $"{extractcmd} {tarball} {fname}: failed!")
    else

diff --git a/runtime/doc/pi_tar.txt b/runtime/doc/pi_tar.txt
index 0bba3c37d38f40e0865a3f07ed53aa3b955ee703..5a4dae8f318eba021490ad8618b779a71ceeebb0 100644 (file)
--- a/runtime/doc/pi_tar.txt
+++ b/runtime/doc/pi_tar.txt
@@ -1,4 +1,4 @@
-*pi_tar.txt*   For Vim version 9.2.  Last change: 2026 Feb 14
+*pi_tar.txt*   For Vim version 9.2.  Last change: 2026 Apr 16
 
                       +====================+
                       | Tar File Interface |
@@ -101,10 +101,17 @@ Copyright 2005-2017:                                      *tar-copyright*
 4. History                                             *tar-history*
 
        unreleased:
+               Apr 16, 2026    * add missing g:tar_secure into tar#Extract
+               Apr 15, 2026    * add path traversal checks in tar#Extract()
+               Apr 09, 2026    * fix zstd support and dotted filename support
+               Apr 06, 2026    * fix lz4 support
+               Feb 07, 2026    * make path traversal detection more robust
+               Feb 06, 2026    * fix bug with nowrapscan
+               Jul 16, 2025    * update minimum required Vim version
                Jul 13, 2025    * drop leading /
                May 19, 2025    * restore working directory after read/write
                Apr 16, 2025    * decouple from netrw by adding s:WinPath()
-                               instead of shelling out to file(1)
+                                 instead of shelling out to file(1)
                Mar 02, 2025    * determine the compression using readblob()
                Mar 02, 2025    * escape the filename before using :read
                Mar 01, 2025    * fix syntax error in tar#Read()