GitHub/vim
1
0
Fork 0
mirror of https://github.com/vim/vim synced 2025-07-16 09:12:00 +00:00
Code Issues Packages Projects Releases Wiki Activity

patch 9.1.1198: [security]: potential data loss with zip.vim

Browse Source 
Problem:  [security]: potential data loss with zip.vim and special
          crafted zip files (RyotaK)
Solution: use glob '[-]' to protect filenames starting with '-'

Github Advisory:
https://github.com/vim/vim/security/advisories/GHSA-693p-m996-3rmf

Signed-off-by: Christian Brabandt <cb@256bit.org>
This commit is contained in:
Christian Brabandt
2025-03-12 22:04:01 +01:00
parent 53b14578e0
commit f209dcd3de
5 changed files with 32 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

1
Filelist
View File

@ -223,6 +223,7 @@ SRC_ALL = \
src/testdir/samples/*.html \ src/testdir/samples/*.html \
src/testdir/samples/*.txt \ src/testdir/samples/*.txt \
src/testdir/samples/*.vim \ src/testdir/samples/*.vim \
src/testdir/samples/poc.zip \
src/testdir/samples/test000 \ src/testdir/samples/test000 \
src/testdir/samples/test.zip \ src/testdir/samples/test.zip \
src/testdir/samples/test_undo.txt.undo \ src/testdir/samples/test_undo.txt.undo \

6
runtime/autoload/zip.vim
View File

@ -14,6 +14,7 @@
" 2024 Aug 05 by Vim Project: clean-up and make it work with shellslash on Windows " 2024 Aug 05 by Vim Project: clean-up and make it work with shellslash on Windows
" 2024 Aug 18 by Vim Project: correctly handle special globbing chars " 2024 Aug 18 by Vim Project: correctly handle special globbing chars
" 2024 Aug 21 by Vim Project: simplify condition to detect MS-Windows " 2024 Aug 21 by Vim Project: simplify condition to detect MS-Windows
" 2025 Mar 11 by Vim Project: handle filenames with leading '-' correctly
" License: Vim License (see vim's :help license) " License: Vim License (see vim's :help license)
" Copyright: Copyright (C) 2005-2019 Charles E. Campbell {{{1 " Copyright: Copyright (C) 2005-2019 Charles E. Campbell {{{1
" Permission is hereby granted to use and distribute this code, " Permission is hereby granted to use and distribute this code,
@ -343,6 +344,11 @@ fun! zip#Extract()
return return
endif endif
let target = fname->substitute('\[', '[[]', 'g') let target = fname->substitute('\[', '[[]', 'g')
" unzip 6.0 does not support -- to denote end-of-arguments
" unzip 6.1 (2010) apparently supports, it, but hasn't been released
" so the workaround is to use glob '[-]' so that it won't be considered an argument
" else, it would be possible to use 'unzip -o <file.zip> '-d/tmp' to extract the whole archive
let target = target->substitute('^-', '[&]', '')
if &shell =~ 'cmd' && has("win32") if &shell =~ 'cmd' && has("win32")
let target = target let target = target
\ ->substitute('[?*]', '[&]', 'g') \ ->substitute('[?*]', '[&]', 'g')

BIN
src/testdir/samples/poc.zip Normal file
View File

Binary file not shown.

23
src/testdir/test_plugin_zip.vim
View File

@ -235,3 +235,26 @@ def Test_zip_glob_fname()
bw bw
enddef enddef
def Test_zip_fname_leading_hyphen()
CheckNotMSWindows
### copy sample zip file
if !filecopy("samples/poc.zip", "X.zip")
assert_report("Can't copy samples/poc.zip")
return
endif
defer delete("X.zip")
defer delete('-d', 'rf')
defer delete('/tmp/pwned', 'rf')
e X.zip
:1
var fname = '-d/tmp'
search('\V' .. fname)
normal x
assert_true(filereadable('-d/tmp'))
assert_false(filereadable('/tmp/pwned'))
bw
enddef

2
src/version.c
View File

@ -704,6 +704,8 @@ static char *(features[]) =
static int included_patches[] = static int included_patches[] =
{ /* Add new patch number below this line */ { /* Add new patch number below this line */
/**/
1198,
/**/ /**/
1197, 1197,
/**/ /**/