averello/vim-mirror
1
0
Fork 0
mirror of https://github.com/vim/vim.git synced 2026-05-28 00:21:37 +02:00
Code Issues Packages Projects Releases Wiki Activity

runtime(vimball): detect more path traversal attacks

Browse Source 
Signed-off-by: Christian Brabandt <cb@256bit.org>
This commit is contained in:
Christian Brabandt
2026-04-09 18:35:39 +00:00
parent c2734dc03c
commit 3e194b1068
1 changed files with 4 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files
runtime/autoload/vimball.vim
+4 -2
View File
@@ -6,7 +6,8 @@
" GetLatestVimScripts: 1502 1 :AutoInstall: vimball.vim
" Last Change:
" 2025 Feb 28 by Vim Project: add support for bzip3 (#16755)
" 2026 Apr 05 by Vim Project: Detect Path Traversal Attacks
" 2026 Apr 05 by Vim Project: Detect path traversal attacks
" 2026 Apr 09 by Vim Project: Detect more path traversal attacks
" Copyright: (c) 2004-2011 by Charles E. Campbell
" The VIM LICENSE applies to Vimball.vim, and Vimball.txt
" (see |copyright|) except use "Vimball" instead of "Vim".
@@ -229,7 +230,8 @@ fun! vimball#Vimball(really,...)
let fsize = substitute(getline(linenr+1),'^\(\d\+\).\{-}$','\1','')+0
let fenc = substitute(getline(linenr+1),'^\d\+\s*\(\S\{-}\)$','\1','')
let filecnt = filecnt + 1
if fname =~ '\.\.'
" Do not allow a leading / or .. anywhere in the file name
if fname =~ '\.\.' || fname =~ '^/'
echomsg "(Vimball) Path Traversal Attack detected, aborting..."
exe "tabn ".curtabnr
bw! Vimball