vim-patch:9.1.1198: [security]: potential data loss with zip.vim (#32867)

Problem: [security]: potential data loss with zip.vim and special crafted zip files (RyotaK) Solution: use glob '[-]' to protect filenames starting with '-' Github Advisory: https://github.com/vim/vim/security/advisories/GHSA-693p-m996-3rmf f209dcd3de Co-authored-by: Christian Brabandt <cb@256bit.org>
2025-07-16 01:01:49 +00:00 · 2025-03-13 08:47:02 +08:00
parent 90d1260cb8
commit b25527d20d
3 changed files with 29 additions and 0 deletions
--- a/runtime/autoload/zip.vim
+++ b/runtime/autoload/zip.vim
@ -14,6 +14,7 @@
 " 2024 Aug 05 by Vim Project: clean-up and make it work with shellslash on Windows
 " 2024 Aug 18 by Vim Project: correctly handle special globbing chars
 " 2024 Aug 21 by Vim Project: simplify condition to detect MS-Windows
+" 2025 Mar 11 by Vim Project: handle filenames with leading '-' correctly
 " License:	Vim License  (see vim's :help license)
 " Copyright:	Copyright (C) 2005-2019 Charles E. Campbell {{{1
 "		Permission is hereby granted to use and distribute this code,
@ -342,6 +343,11 @@ fun! zip#Extract()
   return
  endif
  let target = fname->substitute('\[', '[[]', 'g')
+  " unzip 6.0 does not support -- to denote end-of-arguments
+  " unzip 6.1 (2010) apparently supports, it, but hasn't been released
+  " so the workaround is to use glob '[-]' so that it won't be considered an argument
+  " else, it would be possible to use 'unzip -o <file.zip> '-d/tmp' to extract the whole archive
+  let target = target->substitute('^-', '[&]', '')
  if &shell =~ 'cmd' && has("win32")
    let target = target
 		\ ->substitute('[?*]', '[&]', 'g')
--- a/test/old/testdir/samples/poc.zip
+++ b/test/old/testdir/samples/poc.zip
--- a/test/old/testdir/test_plugin_zip.vim
+++ b/test/old/testdir/test_plugin_zip.vim
@ -235,3 +235,26 @@ func Test_zip_glob_fname()

  bw
 endfunc
+
+func Test_zip_fname_leading_hyphen()
+  CheckNotMSWindows
+
+  "## copy sample zip file
+  if !filecopy("samples/poc.zip", "X.zip")
+    call assert_report("Can't copy samples/poc.zip")
+    return
+  endif
+  defer delete("X.zip")
+  defer delete('-d', 'rf')
+  defer delete('/tmp/pwned', 'rf')
+
+  e X.zip
+
+  :1
+  let fname = '-d/tmp'
+  call search('\V' .. fname)
+  normal x
+  call assert_true(filereadable('-d/tmp'))
+  call assert_false(filereadable('/tmp/pwned'))
+  bw
+endfunc