Commit: runtime(vimball): detect more path traversal attacks
1 view
Skip to first unread message
Christian Brabandt
Apr 9, 2026, 2:47:26 PMApr 9
to vim...@googlegroups.com
runtime(vimball): detect more path traversal attacks
Commit: https://github.com/vim/vim/commit/3e194b10685a99a63a2bf4c97beac3541af0c4ac
Author: Christian Brabandt <c...@256bit.org>
Date: Thu Apr 9 18:35:39 2026 +0000
runtime(vimball): detect more path traversal attacks
Signed-off-by: Christian Brabandt <c...@256bit.org>
diff --git a/runtime/autoload/vimball.vim b/runtime/autoload/vimball.vim
index fb4df5eb6..d661ded63 100644
--- a/runtime/autoload/vimball.vim
+++ b/runtime/autoload/vimball.vim
@@ -6,7 +6,8 @@
" GetLatestVimScripts: 1502 1 :AutoInstall: vimball.vim
" Last Change:
" 2025 Feb 28 by Vim Project: add support for bzip3 (#16755)
-" 2026 Apr 05 by Vim Project: Detect Path Traversal Attacks
+" 2026 Apr 05 by Vim Project: Detect path traversal attacks
+" 2026 Apr 09 by Vim Project: Detect more path traversal attacks
" Copyright: (c) 2004-2011 by Charles E. Campbell
" The VIM LICENSE applies to Vimball.vim, and Vimball.txt
" (see |copyright|) except use "Vimball" instead of "Vim".
@@ -229,7 +230,8 @@ fun! vimball#Vimball(really,...)
let fsize = substitute(getline(linenr+1),'^\(\d\+\).\{-}$',' ','')+0
let fenc = substitute(getline(linenr+1),'^\d\+\s*\(\S\{-}\)$',' ','')
let filecnt = filecnt + 1
- if fname =~ '\.\.'
+ " Do not allow a leading / or .. anywhere in the file name
+ if fname =~ '\.\.' || fname =~ '^/'
echomsg "(Vimball) Path Traversal Attack detected, aborting..."
exe "tabn ".curtabnr
bw! Vimball
Commit: https://github.com/vim/vim/commit/3e194b10685a99a63a2bf4c97beac3541af0c4ac
Author: Christian Brabandt <c...@256bit.org>
Date: Thu Apr 9 18:35:39 2026 +0000
runtime(vimball): detect more path traversal attacks
Signed-off-by: Christian Brabandt <c...@256bit.org>
diff --git a/runtime/autoload/vimball.vim b/runtime/autoload/vimball.vim
index fb4df5eb6..d661ded63 100644
--- a/runtime/autoload/vimball.vim
+++ b/runtime/autoload/vimball.vim
@@ -6,7 +6,8 @@
" GetLatestVimScripts: 1502 1 :AutoInstall: vimball.vim
" Last Change:
" 2025 Feb 28 by Vim Project: add support for bzip3 (#16755)
-" 2026 Apr 05 by Vim Project: Detect Path Traversal Attacks
+" 2026 Apr 05 by Vim Project: Detect path traversal attacks
+" 2026 Apr 09 by Vim Project: Detect more path traversal attacks
" Copyright: (c) 2004-2011 by Charles E. Campbell
" The VIM LICENSE applies to Vimball.vim, and Vimball.txt
" (see |copyright|) except use "Vimball" instead of "Vim".
@@ -229,7 +230,8 @@ fun! vimball#Vimball(really,...)
let fsize = substitute(getline(linenr+1),'^\(\d\+\).\{-}$',' ','')+0
let fenc = substitute(getline(linenr+1),'^\d\+\s*\(\S\{-}\)$',' ','')
let filecnt = filecnt + 1
- if fname =~ '\.\.'
+ " Do not allow a leading / or .. anywhere in the file name
+ if fname =~ '\.\.' || fname =~ '^/'
echomsg "(Vimball) Path Traversal Attack detected, aborting..."
exe "tabn ".curtabnr
bw! Vimball
Reply all
Reply to author
Forward
0 new messages