patch 9.1.1551: [security]: path traversal issue in zip.vim

Browse Source

Problem:  [security]: path traversal issue in zip.vim (@ax)
Solution: drop leading ../ on write of zipfiles, don't forcefully
          overwrite existing files

A zip plugin which contains filenames with leading '../'  may cause
confusion as to where the content will be extracted.  Let's drop such
things and make sure we use a relative filename instead and don't
forcefully overwrite temporary files. Also, warn the user of such
things.

related: #17733

Signed-off-by: Christian Brabandt <cb@256bit.org>

...

This commit is contained in:

Christian Brabandt

2025-07-15 21:43:01 +02:00

parent 3f9d2378bd

commit 586294a041

7 changed files with 185 additions and 144 deletions

Show all changes Ignore whitespace when comparing lines Ignore changes in amount of whitespace Ignore changes in whitespace at EOL

Download Patch File Download Diff File Expand all files Collapse all files

BIN

src/testdir/samples/evil.zip Normal file

Binary file not shown.