[vim/vim] runtime(zip): block single leading slash and absolute paths in Extract (PR #19976)
q1uf3ng
zip#Write(): the regex from commit 6836599 does not match a single
leading slash (/path). On Windows this resolves to the current
drive root (e.g. C:\path), bypassing the check.
Fix: simplify the regex to '^\%(\a:[\\/]\|[\\/]\)' so any leading
slash or backslash is matched.
zip#Extract(): has no absolute path check at all. Add the same
checks used in zip#Write() for both Unix and Windows.
You can view, comment on, or merge this pull request online at:
https://github.com/vim/vim/pull/19976
Commit Summary
- fe3dd80 runtime(zip): also block single leading slash and absolute paths in Extract
File Changes
(1 file)
- M runtime/autoload/zip.vim (16)
Patch Links:
—
Reply to this email directly, view it on GitHub.
You are receiving this because you are subscribed to this thread.
Christian Brabandt
chrisbra left a comment (vim/vim#19976)thanks
—
Reply to this email directly, view it on GitHub, or unsubscribe.
You are receiving this because you are subscribed to this thread.
Christian Brabandt
@chrisbra commented on this pull request.
> @@ -505,6 +505,18 @@ fun! zip#Extract()
call s:Mess('Error', "***error*** (zip#Browse) Path Traversal Attack detected, not extracting!")
return
endif
+ " block absolute paths
+ if has("unix")
+ if fname =~ '^/'
+ call s:Mess('Error', "***error*** (zip#Extract) Path Traversal Attack detected, not extracting!")
+ return
+ endif
+ else
+ if fname =~ '^\%(\a:[\\/]\|[\\/]\)'
I guess we could simplify the whole Unix/Linux detection and just use this pattern for all systems.
—
Reply to this email directly, view it on GitHub, or unsubscribe.
You are receiving this because you are subscribed to this thread.
Christian Brabandt
—
Reply to this email directly, view it on GitHub, or unsubscribe.
You are receiving this because you are subscribed to this thread.