mirror of
https://github.com/vim/vim.git
synced 2026-05-28 00:21:37 +02:00
Yasuhiro Matsumoto
b076c49282
Problem: runtime(vimball): still path traversal attacks possible Solution: block Windows driver letter paths (Yasuhiro Matsumoto) The path traversal check in vimball#Vimball() did not reject file names starting with a Windows drive letter (e.g. "C:/foo"). Backslashes are normalized to forward slashes earlier, so UNC paths are caught by the leading-slash check, but absolute drive-letter paths slipped through and could write outside of g:vimball_home on Windows. Add a "^\a:" check next to the existing "^/" check, and cover it with a new test. closes: #19989 Signed-off-by: Yasuhiro Matsumoto <mattn.jp@gmail.com> Signed-off-by: Christian Brabandt <cb@256bit.org>
The autoload directory is for standard Vim autoload scripts. These are functions used by plugins and for general use. They will be loaded automatically when the function is invoked. See ":help autoload". gzip.vim for editing compressed files netrw*.vim browsing (remote) directories and editing remote files tar.vim browsing tar files zip.vim browsing zip files paste.vim common code for mswin.vim, menu.vim and macmap.vim spellfile.vim downloading of a missing spell file Omni completion files: ccomplete.vim C csscomplete.vim HTML / CSS htmlcomplete.vim HTML javascriptcomplete.vim Javascript phpcomplete.vim PHP pythoncomplete.vim Python rubycomplete.vim Ruby syntaxcomplete.vim from syntax highlighting xmlcomplete.vim XML (uses files in the xml directory)