[vim/vim] runtime(tar): add path traversal checks to tar#Extract() (PR #19981)

3 views
Skip to first unread message

q1uf3ng

unread,
Apr 14, 2026, 9:55:55 PM (2 days ago) Apr 14
to vim/vim, Subscribed

tar#Extract() has no check for ../ or absolute paths. zip#Extract()
was patched for this recently, tar#Extract() was not.

Add the same checks: ../ relative traversal, leading slash on Unix,
drive letter and leading slash/backslash on Windows.

You can view, comment on, or merge this pull request online at:

  https://github.com/vim/vim/pull/19981

Commit Summary

  • be8d468 runtime(tar): add path traversal checks to tar#Extract()

File Changes

(1 file)

Patch Links:


Reply to this email directly, view it on GitHub.
You are receiving this because you are subscribed to this thread.Message ID: <vim/vim/pull/19981@github.com>

Christian Brabandt

unread,
Apr 15, 2026, 3:30:25 AM (2 days ago) Apr 15
to vim/vim, Subscribed
chrisbra left a comment (vim/vim#19981)

I checked this a few times already and was not able to reproduce:

0 41597 chrisbra@debian-arm64 /tmp/tar_poc/a % tar -pxf 'archive'.tar '../../tmp/vim_tar_poc.txt'
tar: Removing leading `../../' from member names
tar: ../../tmp/vim_tar_poc.txt: Member name contains '..'
tar: Exiting with failure status due to previous errors


Reply to this email directly, view it on GitHub, or unsubscribe.
You are receiving this because you are subscribed to this thread.Message ID: <vim/vim/pull/19981/c4250092060@github.com>

q1uf3ng

unread,
Apr 15, 2026, 6:16:53 AM (2 days ago) Apr 15
to vim/vim, Subscribed
q1uf3ng left a comment (vim/vim#19981)

Right, GNU tar 1.35+ blocks .. in member names. But older tar versions and bsdtar (macOS default) do not. Also, symlink entries are not blocked — a tar with a symlink pointing outside cwd followed by a file through it can write to arbitrary paths even on GNU tar 1.35.

Either way, zip#Extract() already has these checks after the recent patches. This just brings tar#Extract() to the same level.


Reply to this email directly, view it on GitHub, or unsubscribe.
You are receiving this because you are subscribed to this thread.Message ID: <vim/vim/pull/19981/c4251172505@github.com>

Christian Brabandt

unread,
Apr 15, 2026, 2:42:34 PM (2 days ago) Apr 15
to vim/vim, Subscribed

Closed #19981 via 490b737.


Reply to this email directly, view it on GitHub, or unsubscribe.
You are receiving this because you are subscribed to this thread.Message ID: <vim/vim/pull/19981/issue_event/24540327461@github.com>

Christian Brabandt

unread,
Apr 15, 2026, 2:45:47 PM (2 days ago) Apr 15
to vim/vim, Subscribed
chrisbra left a comment (vim/vim#19981)

Thanks. I added some tests to make sure this does not regress


Reply to this email directly, view it on GitHub, or unsubscribe.
You are receiving this because you are subscribed to this thread.Message ID: <vim/vim/pull/19981/c4254579878@github.com>

Reply all
Reply to author
Forward
0 new messages