Commit: patch 9.2.0355: runtime(tar): missing path traversal checks in tar#Extract()

[Christian Brabandt]

patch 9.2.0355: runtime(tar): missing path traversal checks in tar#Extract()

Commit: https://github.com/vim/vim/commit/490b737f3e172c3c66744c7531ee85f19618419d
Author: q1uf3ng <q1u...@protone.me>
Date: Wed Apr 15 18:20:55 2026 +0000

patch 9.2.0355: runtime(tar): missing path traversal checks in tar#Extract()

Problem: runtime(tar): missing path traversal checks in tar#Extract()
Solution: Add check for leading slash, however gnu tar should already
detect this (q1uf3ng)

tar#Extract() did not check for ../ sequences or absolute paths,
unlike zip#Extract() which was patched in recent commits. Add the
same checks: ../ (relative traversal), leading slash (Unix), drive
letter and UNC/leading slash (Windows).

closes: #19981

Signed-off-by: q1uf3ng <q1u...@protone.me>
Signed-off-by: Christian Brabandt <c...@256bit.org>

diff --git a/runtime/autoload/tar.vim b/runtime/autoload/tar.vim
index 722a0ab68..6aa3489e5 100644
--- a/runtime/autoload/tar.vim
+++ b/runtime/autoload/tar.vim
@@ -23,6 +23,7 @@
" 2026 Apr 06 by Vim Project: fix bugs with lz4 support (#19925)
" 2026 Apr 09 by Vim Project: fix bugs with zstd support (#19930)
" 2026 Apr 09 by Vim Project: fix bug with dotted filename (#19930)
+" 2026 Apr 15 by Vim Project: fix more path traversal issues (#19981)
"
" Contains many ideas from Michael Toren's <tar.vim>
"
@@ -612,6 +613,24 @@ fun! tar#Extract()
let &report= repkeep
return
endif
+ if fname =~ '^[.]\?[.]/' || simplify(fname) =~ '\.\.[/\]'
+ call s:Msg('tar#Extract', 'error', "Path Traversal Attack detected, not extracting!")
+ let &report= repkeep
+ return
+ endif
+ if has("unix")
+ if fname =~ '^/'
+ call s:Msg('tar#Extract', 'error', "Path Traversal Attack detected, not extracting!")
+ let &report= repkeep
+ return
+ endif
+ else
+ if fname =~ '^\%( :[\/]\|[\/]\)'
+ call s:Msg('tar#Extract', 'error', "Path Traversal Attack detected, not extracting!")
+ let &report= repkeep
+ return
+ endif
+ endif

let extractcmd= s:WinPath(g:tar_extractcmd)
let tarball = expand("%")
diff --git a/src/testdir/test_plugin_tar.vim b/src/testdir/test_plugin_tar.vim
index 80b7a76d6..56f25df2a 100644
--- a/src/testdir/test_plugin_tar.vim
+++ b/src/testdir/test_plugin_tar.vim
@@ -86,6 +86,11 @@ def g:Test_tar_evil()
assert_equal("X.tar", @%)
assert_equal(1, b:leading_slash)

+ ### Press x to extract
+ :6
+ var mess = execute(":normal x", '')
+ assert_match('(tar#Extract) Path Traversal Attack detected, not extracting!', mess)
+
### Check ENTER on file
:6
exe ":normal \<cr>"
diff --git a/src/version.c b/src/version.c
index 513632bd8..c0f826a17 100644
--- a/src/version.c
+++ b/src/version.c
@@ -734,6 +734,8 @@ static char *(features[]) =

static int included_patches[] =
{ /* Add new patch number below this line */
+/**/
+ 355,
/**/
354,
/**/