mirror of
https://github.com/vim/vim.git
synced 2026-05-28 00:21:37 +02:00
runtime(tar): missing g:tar_secure in tar#Extract()
Signed-off-by: Christian Brabandt <cb@256bit.org>
This commit is contained in:
Christian Brabandt
+13
-12
@@ -24,6 +24,7 @@
|
||||
" 2026 Apr 09 by Vim Project: fix bugs with zstd support (#19930)
|
||||
" 2026 Apr 09 by Vim Project: fix bug with dotted filename (#19930)
|
||||
" 2026 Apr 15 by Vim Project: fix more path traversal issues (#19981)
|
||||
" 2026 Apr 16 by Vim Project: use g:tar_secure in tar#Extract()
|
||||
"
|
||||
" Contains many ideas from Michael Toren's <tar.vim>
|
||||
"
|
||||
@@ -640,7 +641,7 @@ fun! tar#Extract()
|
||||
endif
|
||||
|
||||
if tarball =~# "\.tar$"
|
||||
call system(extractcmd." ".shellescape(tarball)." ".shellescape(fname))
|
||||
call system(extractcmd." ".shellescape(tarball)." ".g:tar_secure.shellescape(fname))
|
||||
if v:shell_error != 0
|
||||
call s:Msg('tar#Extract', 'error', $"{extractcmd} {tarball} {fname}: failed!")
|
||||
else
|
||||
@@ -649,7 +650,7 @@ fun! tar#Extract()
|
||||
|
||||
elseif tarball =~# "\.tgz$"
|
||||
let extractcmd= substitute(extractcmd,"-","-z","")
|
||||
call system(extractcmd." ".shellescape(tarball)." ".shellescape(fname))
|
||||
call system(extractcmd." ".shellescape(tarball)." ".g:tar_secure.shellescape(fname))
|
||||
if v:shell_error != 0
|
||||
call s:Msg('tar#Extract', 'error', $"{extractcmd} {tarball} {fname}: failed!")
|
||||
else
|
||||
@@ -658,7 +659,7 @@ fun! tar#Extract()
|
||||
|
||||
elseif tarball =~# "\.tar\.gz$"
|
||||
let extractcmd= substitute(extractcmd,"-","-z","")
|
||||
call system(extractcmd." ".shellescape(tarball)." ".shellescape(fname))
|
||||
call system(extractcmd." ".shellescape(tarball)." ".g:tar_secure.shellescape(fname))
|
||||
if v:shell_error != 0
|
||||
call s:Msg('tar#Extract', 'error', $"{extractcmd} {tarball} {fname}: failed!")
|
||||
else
|
||||
@@ -667,7 +668,7 @@ fun! tar#Extract()
|
||||
|
||||
elseif tarball =~# "\.tbz$"
|
||||
let extractcmd= substitute(extractcmd,"-","-j","")
|
||||
call system(extractcmd." ".shellescape(tarball)." ".shellescape(fname))
|
||||
call system(extractcmd." ".shellescape(tarball)." ".g:tar_secure.shellescape(fname))
|
||||
if v:shell_error != 0
|
||||
call s:Msg('tar#Extract', 'error', $"{extractcmd} {tarball} {fname}: failed!")
|
||||
else
|
||||
@@ -676,7 +677,7 @@ fun! tar#Extract()
|
||||
|
||||
elseif tarball =~# "\.tar\.bz2$"
|
||||
let extractcmd= substitute(extractcmd,"-","-j","")
|
||||
call system(extractcmd." ".shellescape(tarball)." ".shellescape(fname))
|
||||
call system(extractcmd." ".shellescape(tarball)." ".g:tar_secure.shellescape(fname))
|
||||
if v:shell_error != 0
|
||||
call s:Msg('tar#Extract', 'error', $"{extractcmd} {tarball} {fname}: failed!")
|
||||
else
|
||||
@@ -685,7 +686,7 @@ fun! tar#Extract()
|
||||
|
||||
elseif tarball =~# "\.tar\.bz3$"
|
||||
let extractcmd= substitute(extractcmd,"-","-j","")
|
||||
call system(extractcmd." ".shellescape(tarball)." ".shellescape(fname))
|
||||
call system(extractcmd." ".shellescape(tarball)." ".g:tar_secure.shellescape(fname))
|
||||
if v:shell_error != 0
|
||||
call s:Msg('tar#Extract', 'error', $"{extractcmd} {tarball} {fname}: failed!")
|
||||
else
|
||||
@@ -694,7 +695,7 @@ fun! tar#Extract()
|
||||
|
||||
elseif tarball =~# "\.txz$"
|
||||
let extractcmd= substitute(extractcmd,"-","-J","")
|
||||
call system(extractcmd." ".shellescape(tarball)." ".shellescape(fname))
|
||||
call system(extractcmd." ".shellescape(tarball)." ".g:tar_secure.shellescape(fname))
|
||||
if v:shell_error != 0
|
||||
call s:Msg('tar#Extract', 'error', $"{extractcmd} {tarball} {fname}: failed!")
|
||||
else
|
||||
@@ -703,7 +704,7 @@ fun! tar#Extract()
|
||||
|
||||
elseif tarball =~# "\.tar\.xz$"
|
||||
let extractcmd= substitute(extractcmd,"-","-J","")
|
||||
call system(extractcmd." ".shellescape(tarball)." ".shellescape(fname))
|
||||
call system(extractcmd." ".shellescape(tarball)." ".g:tar_secure.shellescape(fname))
|
||||
if v:shell_error != 0
|
||||
call s:Msg('tar#Extract', 'error', $"{extractcmd} {tarball} {fname}: failed!")
|
||||
else
|
||||
@@ -712,7 +713,7 @@ fun! tar#Extract()
|
||||
|
||||
elseif tarball =~# "\.tzst$"
|
||||
let extractcmd= substitute(extractcmd,"-","--zstd -","")
|
||||
call system(extractcmd." ".shellescape(tarball)." ".shellescape(fname))
|
||||
call system(extractcmd." ".shellescape(tarball)." ".g:tar_secure.shellescape(fname))
|
||||
if v:shell_error != 0
|
||||
call s:Msg('tar#Extract', 'error', $"{extractcmd} {tarball} {fname}: failed!")
|
||||
else
|
||||
@@ -721,7 +722,7 @@ fun! tar#Extract()
|
||||
|
||||
elseif tarball =~# "\.tar\.zst$"
|
||||
let extractcmd= substitute(extractcmd,"-","--zstd -","")
|
||||
call system(extractcmd." ".shellescape(tarball)." ".shellescape(fname))
|
||||
call system(extractcmd." ".shellescape(tarball)." ".g:tar_secure.shellescape(fname))
|
||||
if v:shell_error != 0
|
||||
call s:Msg('tar#Extract', 'error', $"{extractcmd} {tarball} {fname}: failed!")
|
||||
else
|
||||
@@ -732,7 +733,7 @@ fun! tar#Extract()
|
||||
if has("linux")
|
||||
let extractcmd= substitute(extractcmd,"-","-I lz4 -","")
|
||||
endif
|
||||
call system(extractcmd." ".shellescape(tarball)." ".shellescape(fname))
|
||||
call system(extractcmd." ".shellescape(tarball)." ".g:tar_secure.shellescape(fname))
|
||||
if v:shell_error != 0
|
||||
call s:Msg('tar#Extract', 'error', $"{extractcmd} {tarball} {fname}: failed!")
|
||||
else
|
||||
@@ -743,7 +744,7 @@ fun! tar#Extract()
|
||||
if has("linux")
|
||||
let extractcmd= substitute(extractcmd,"-","-I lz4 -","")
|
||||
endif
|
||||
call system(extractcmd." ".shellescape(tarball)." ".shellescape(fname))
|
||||
call system(extractcmd." ".shellescape(tarball)." ".g:tar_secure.shellescape(fname))
|
||||
if v:shell_error != 0
|
||||
call s:Msg('tar#Extract', 'error', $"{extractcmd} {tarball} {fname}: failed!")
|
||||
else
|
||||
|
||||
@@ -1,4 +1,4 @@
|
||||
*pi_tar.txt* For Vim version 9.2. Last change: 2026 Feb 14
|
||||
*pi_tar.txt* For Vim version 9.2. Last change: 2026 Apr 16
|
||||
|
||||
+====================+
|
||||
| Tar File Interface |
|
||||
@@ -101,10 +101,17 @@ Copyright 2005-2017: *tar-copyright*
|
||||
4. History *tar-history*
|
||||
|
||||
unreleased:
|
||||
Apr 16, 2026 * add missing g:tar_secure into tar#Extract
|
||||
Apr 15, 2026 * add path traversal checks in tar#Extract()
|
||||
Apr 09, 2026 * fix zstd support and dotted filename support
|
||||
Apr 06, 2026 * fix lz4 support
|
||||
Feb 07, 2026 * make path traversal detection more robust
|
||||
Feb 06, 2026 * fix bug with nowrapscan
|
||||
Jul 16, 2025 * update minimum required Vim version
|
||||
Jul 13, 2025 * drop leading /
|
||||
May 19, 2025 * restore working directory after read/write
|
||||
Apr 16, 2025 * decouple from netrw by adding s:WinPath()
|
||||
instead of shelling out to file(1)
|
||||
instead of shelling out to file(1)
|
||||
Mar 02, 2025 * determine the compression using readblob()
|
||||
Mar 02, 2025 * escape the filename before using :read
|
||||
Mar 01, 2025 * fix syntax error in tar#Read()
|
||||
|
||||
Reference in New Issue
Block a user