[vim/vim] runtime(vimball): block Windows drive letter paths (PR #19989)

0 views
Skip to first unread message

mattn

unread,
Apr 16, 2026, 10:51:22 AM (15 hours ago) Apr 16
to vim/vim, Subscribed

The path traversal check in vimball#Vimball() rejected leading / and embedded .., but did not reject file names starting with a Windows drive letter (e.g. C:/foo). Backslashes are normalized to forward slashes earlier, so UNC paths are caught by the leading-slash check, but absolute drive-letter paths slipped through and could write outside of g:vimball_home on Windows.

Add a ^\a: check next to the existing ^/ check, and cover it with a new test (verified on Linux and Windows MinGW).

You can view, comment on, or merge this pull request online at:

  https://github.com/vim/vim/pull/19989

Commit Summary

  • 46e90e7 runtime(vimball): block Windows drive letter paths
  • 8592ce0 runtime(vimball): drop bogus isdirectory('C:') assertion in test

File Changes

(2 files)

Patch Links:


Reply to this email directly, view it on GitHub.
You are receiving this because you are subscribed to this thread.Message ID: <vim/vim/pull/19989@github.com>

Christian Brabandt

unread,
Apr 16, 2026, 3:57:56 PM (10 hours ago) Apr 16
to vim/vim, Subscribed
chrisbra left a comment (vim/vim#19989)

thanks


Reply to this email directly, view it on GitHub, or unsubscribe.
You are receiving this because you are subscribed to this thread.Message ID: <vim/vim/pull/19989/c4262999659@github.com>

Christian Brabandt

unread,
Apr 16, 2026, 4:09:12 PM (10 hours ago) Apr 16
to vim/vim, Subscribed

Closed #19989 via b076c49.


Reply to this email directly, view it on GitHub, or unsubscribe.
You are receiving this because you are subscribed to this thread.Message ID: <vim/vim/pull/19989/issue_event/24582045837@github.com>

Reply all
Reply to author
Forward
0 new messages