patch 9.1.1552: [security]: path traversal issue in tar.vim
Commit:
https://github.com/vim/vim/commit/87757c6b0a4b2c1f71c72ea8e1438b8fb116b239
Author: Christian Brabandt <c...@256bit.org>
Date: Tue Jul 15 21:54:00 2025 +0200
patch 9.1.1552: [security]: path traversal issue in tar.vim
Problem: [security]: path traversal issue in tar.vim
(@ax)
Solution: warn the user for such things, drop leading /, don't
forcefully overwrite files when writing temporary files,
refactor autoload/tar.vim
tar.vim: drop leading / in path names
A tar archive containing files with leading `/` may cause confusions as
to where the content is extracted. Let's make sure we drop the leading
`/` and use a relative path instead.
Also while at it, had to refactor it quite a bit and increase the
minimum supported Vim version to v9. Also add a test for some basic tar
functionality
closes: #17733
diff --git a/Filelist b/Filelist
index 3c9f78301..41eba3107 100644
--- a/Filelist
+++ b/Filelist
@@ -213,7 +213,9 @@ SRC_ALL = \
src/testdir/samples/*.txt \
src/testdir/samples/*.vim \
src/testdir/samples/evil.zip \
+ src/testdir/samples/evil.tar \
src/testdir/samples/poc.zip \
+ src/testdir/samples/sample.tar \
src/testdir/samples/test.zip \
src/testdir/samples/test000 \
src/testdir/samples/test_undo.txt.undo \
diff --git a/runtime/autoload/tar.vim b/runtime/autoload/tar.vim
index 7c1cefa63..1a0d4f8a3 100644
--- a/runtime/autoload/tar.vim
+++ b/runtime/autoload/tar.vim
@@ -16,6 +16,7 @@
" instead of shelling out to file(1)
" 2025 Apr 16 by Vim Project: decouple from netrw by adding s:WinPath()
" 2025 May 19 by Vim Project: restore working directory after read/write
+" 2025 Jul 13 by Vim Project: warn with path traversal attacks
"
" Contains many ideas from Michael Toren's <tar.vim>
"
@@ -34,9 +35,9 @@ if &cp || exists("g:loaded_tar")
finish
endif
let g:loaded_tar= "v32b"
-if v:version < 702
+if v:version < 900
echohl WarningMsg
- echo "***warning*** this version of tar needs vim 7.2"
+ echo "***warning*** this version of tar needs vim 9.0"
echohl Normal
finish
endif
@@ -46,10 +47,10 @@ set cpo&vim
" ---------------------------------------------------------------------
" Default Settings: {{{1
if !exists("g:tar_browseoptions")
- let g:tar_browseoptions= "Ptf"
+ let g:tar_browseoptions= "tf"
endif
if !exists("g:tar_readoptions")
- let g:tar_readoptions= "pPxf"
+ let g:tar_readoptions= "pxf"
endif
if !exists("g:tar_cmd")
let g:tar_cmd= "tar"
@@ -58,6 +59,7 @@ if !exists("g:tar_writeoptions")
let g:tar_writeoptions= "uf"
endif
if !exists("g:tar_delfile")
+ " Note: not supported on BSD
let g:tar_delfile="--delete -f"
endif
if !exists("g:netrw_cygwin")
@@ -106,10 +108,26 @@ if !exists("g:tar_shq")
endif
endif
+let g:tar_secure=' -- '
+let g:tar_leading_pat='^\%([.]\{,2\}/\)\+'
+
" ----------------
" Functions: {{{1
" ----------------
+" ---------------------------------------------------------------------
+" s:Msg: {{{2
+fun! s:Msg(func, severity, msg)
+ redraw!
+ if a:severity =~? 'error'
+ echohl Error
+ else
+ echohl WarningMsg
+ endif
+ echo $"***{a:severity}*** ({a:func}) {a:msg}"
+ echohl None
+endfunc
+
" ---------------------------------------------------------------------
" tar#Browse: {{{2
fun! tar#Browse(tarfile)
@@ -118,16 +136,14 @@ fun! tar#Browse(tarfile)
" sanity checks
if !executable(g:tar_cmd)
- redraw!
- echohl Error | echo '***error*** (tar#Browse) "'.g:tar_cmd.'" not available
on your system'
+ call s:Msg('tar#Browse', 'error', $"{g:tar_cmd} not available on your
system")
let &report= repkeep
return
endif
if !filereadable(a:tarfile)
if a:tarfile !~# '^ \+://'
" if it's an url, don't complain, let url-handlers such as vim do its thing
- redraw!
- echohl Error | echo "***error*** (tar#Browse) File not
readable<".a:tarfile.">" | echohl None
+ call s:Msg('tar#Browse', 'error', $"File not readable<{a:tarfile}>")
endif
let &report= repkeep
return
@@ -203,28 +219,18 @@ fun! tar#Browse(tarfile)
exe "sil! r! ".g:tar_cmd." -".g:tar_browseoptions." ".shellescape(tarfile,1)
endif
if v:shell_error != 0
- redraw!
- echohl WarningMsg | echo "***warning*** (tar#Browse) please check your
g:tar_browseoptions<".g:tar_browseoptions.">"
+ call s:Msg('tar#Browse', 'warning', $"please check your g:tar_browseoptions
'<{g:tar_browseoptions}>'")
return
endif
- "
- " The following should not be neccessary, since in case of errors the
- " previous if statement should have caught the problem (because tar exited
- " with a non-zero exit code).
- " if line("$") == curlast || ( line("$") == (curlast + 1) &&
- " \ getline("$") =~# '
--
--
You received this message from the "vim_dev" maillist.
Do not top-post! Type your reply below the text you are replying to.
For more information, visit http://www.vim.org/maillist.php
---
You received this message because you are subscribed to the Google Groups
"vim_dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to vim_dev+unsubscr...@googlegroups.com.
To view this discussion visit
https://groups.google.com/d/msgid/vim_dev/E1ubmWP-007oOJ-Hj%40256bit.org.
