runtime(tar): Make the path traversal detection more robust

closes: #19341 Signed-off-by: Christian Brabandt <cb@256bit.org>
2026-05-28 00:21:37 +02:00 · 2026-02-07 10:12:34 +00:00
parent f73bd2546e
commit 7ccb81bdb6
1 changed files with 3 additions and 2 deletions
@@ -19,6 +19,7 @@
 "   2025 Jul 13 by Vim Project: warn with path traversal attacks
 "   2025 Jul 16 by Vim Project: update minimum vim version
 "   2026 Feb 06 by Vim Project: consider 'nowrapscan' (#19333)
+"   2026 Feb 07 by Vim Project: make the path traversal detection more robust (#19341)
 "
 "	Contains many ideas from Michael Toren's <tar.vim>
 "
@@ -111,7 +112,7 @@ if !exists("g:tar_shq")
 endif

 let g:tar_secure=' -- '
-let g:tar_leading_pat='^\%([.]\{,2\}/\)\+'
+let g:tar_leading_pat='\m^\%([.]\{,2\}/\)\+'

 " ----------------
 "  Functions: {{{1
@@ -227,7 +228,7 @@ fun! tar#Browse(tarfile)

  " remove tar: Removing leading '/' from member names
  " Note: the message could be localized
-  if search('^tar: ', 'w') > 0 || search(g:tar_leading_pat, 'w') > 0
+  if search('\m^g\?tar: ', 'w') > 0 || search(g:tar_leading_pat, 'w') > 0
    call append(3,'" Note: Path Traversal Attack detected!')
    let b:leading_slash = 1
    " remove the message output