71 lines
2.5 KiB
Diff
71 lines
2.5 KiB
Diff
diff -up vim82/runtime/autoload/zip.vim.CVE-2025-53906 vim82/runtime/autoload/zip.vim
|
|
--- vim82/runtime/autoload/zip.vim.CVE-2025-53906 2021-03-22 10:02:41.000000000 +0100
|
|
+++ vim82/runtime/autoload/zip.vim 2025-09-10 19:33:11.491115978 +0200
|
|
@@ -251,6 +251,7 @@ fun! zip#Write(fname)
|
|
" call Dfunc("zip#Write(fname<".a:fname.">) zipfile_".winnr()."<".s:zipfile_{winnr()}.">")
|
|
let repkeep= &report
|
|
set report=10
|
|
+ let need_rename = 0
|
|
|
|
" sanity checks
|
|
if !executable(substitute(g:zip_zipcmd,'\s\+.*$','',''))
|
|
@@ -261,14 +262,6 @@ fun! zip#Write(fname)
|
|
" call Dret("zip#Write")
|
|
return
|
|
endif
|
|
- if !exists("*mkdir")
|
|
- redraw!
|
|
- echohl Error | echo "***error*** (zip#Write) sorry, mkdir() doesn't work on your system" | echohl None
|
|
-" call inputsave()|call input("Press <cr> to continue")|call inputrestore()
|
|
- let &report= repkeep
|
|
-" call Dret("zip#Write")
|
|
- return
|
|
- endif
|
|
|
|
let curdir= getcwd()
|
|
let tmpdir= tempname()
|
|
@@ -302,6 +295,11 @@ fun! zip#Write(fname)
|
|
let zipfile = substitute(a:fname,'^.\{-}zipfile:\(.\{-}\)::[^\\].*$','\1','')
|
|
let fname = substitute(a:fname,'^.\{-}zipfile:.\{-}::\([^\\].*\)$','\1','')
|
|
endif
|
|
+ if fname =~ '^[.]\{1,2}/'
|
|
+ call system(g:zip_zipcmd." -d ".s:Escape(fnamemodify(zipfile,":p"),0)." ".s:Escape(fname,0))
|
|
+ let fname = substitute(fname, '^\([.]\{1,2}/\)\+', '', 'g')
|
|
+ let need_rename = 1
|
|
+ endif
|
|
" call Decho("zipfile<".zipfile.">")
|
|
" call Decho("fname <".fname.">")
|
|
|
|
@@ -318,7 +316,7 @@ fun! zip#Write(fname)
|
|
endif
|
|
" call Decho("zipfile<".zipfile."> fname<".fname.">")
|
|
|
|
- exe "w! ".fnameescape(fname)
|
|
+ exe "w ".fnameescape(fname)
|
|
if has("win32unix") && executable("cygpath")
|
|
let zipfile = substitute(system("cygpath ".s:Escape(zipfile,0)),'\n','','e')
|
|
endif
|
|
@@ -348,6 +346,10 @@ fun! zip#Write(fname)
|
|
let &binary = binkeep
|
|
q!
|
|
unlet s:zipfile_{winnr()}
|
|
+ elseif need_rename
|
|
+ sil exe 'keepalt file '.fnameescape("zipfile://".zipfile.'::'.fname)
|
|
+ redraw!
|
|
+ echohl Error | echo "***error*** (zip#Browse) Path Traversal Attack detected, dropping relative path" | echohl None
|
|
endif
|
|
|
|
" cleanup and restore current directory
|
|
@@ -383,6 +385,11 @@ fun! zip#Extract()
|
|
let &report= repkeep
|
|
" call Dret("zip#Extract")
|
|
return
|
|
+ elseif fname =~ '^[.]\?[.]/'
|
|
+ redraw!
|
|
+ echohl Error | echo "***error*** (zip#Browse) Path Traversal Attack detected, not extracting!" | echohl None
|
|
+ let &report= repkeep
|
|
+ return
|
|
endif
|
|
|
|
" extract the file mentioned under the cursor
|