PublicArchive/vim
2
0
Fork 0
mirror of https://github.com/vim/vim.git synced 2026-05-09 13:50:00 -04:00
Code Issues Packages Projects Releases Wiki Activity
Files
v9.2.0359
vim/runtime
T
History
Yasuhiro Matsumoto b076c49282 patch 9.2.0358: runtime(vimball): still path traversal attacks possible 
Problem:  runtime(vimball): still path traversal attacks possible
Solution: block Windows driver letter paths (Yasuhiro Matsumoto)

The path traversal check in vimball#Vimball() did not reject file
names starting with a Windows drive letter (e.g. "C:/foo"). Backslashes
are normalized to forward slashes earlier, so UNC paths are caught by
the leading-slash check, but absolute drive-letter paths slipped
through and could write outside of g:vimball_home on Windows.

Add a "^\a:" check next to the existing "^/" check, and cover it with
a new test.

closes: #19989

Signed-off-by: Yasuhiro Matsumoto <mattn.jp@gmail.com>
Signed-off-by: Christian Brabandt <cb@256bit.org>
2026-04-16 20:03:39 +00:00
..
autoload
patch 9.2.0358: runtime(vimball): still path traversal attacks possible
2026-04-16 20:03:39 +00:00
bitmaps
colors
compiler
patch 9.2.0225: runtime(compiler): No compiler plugin for just
2026-03-22 16:46:41 +00:00
doc
patch 9.2.0358: runtime(vimball): still path traversal attacks possible
2026-04-16 20:03:39 +00:00
ftplugin
runtime(racket): Make visual K mapping more robust for shell injection
2026-04-01 08:10:15 +00:00
icons
import/dist
indent
runtime(handlebars): adds handlebars template syntax & indent support
2026-03-05 20:06:02 +00:00
keymap
lang
macros
pack/dist/opt
runtime(netrw): add missing escape() calls
2026-04-15 20:47:29 +00:00
plugin
runtime(manpager): use \x07 instead of \a for BEL in OSC 8 regex
2026-03-24 19:48:44 +00:00
print
spell
syntax
patch 9.2.0356: Cannot apply 'scrolloff' context lines at end of file
2026-04-15 19:17:13 +00:00
tools
runtime(preproc_indent): Ignore Swapfiles when loading buffers
2026-04-02 17:53:30 +00:00
tutor
bugreport.vim
defaults.vim
delmenu.vim
doc.info
evim.vim
filetype.vim
patch 9.2.0333: filetype: PklProject files are not recognized
2026-04-10 18:40:37 +00:00
ftoff.vim
ftplugin.vim
ftplugof.vim
gvim.desktop
translation: Regenerate desktop files in runtime directory
2026-03-22 16:27:43 +00:00
gvimrc_example.vim
hi16-action-make.png
hi22-action-make.png
icons.info
indent.vim
indoff.vim
macmap.vim
macros.info
makemenu.vim
menu.vim
mswin.vim
optwin.vim
patch 9.2.0356: Cannot apply 'scrolloff' context lines at end of file
2026-04-15 19:17:13 +00:00
scripts.vim
synmenu.vim
termcap
tools.info
tutor.info
vim16x16_png.h
patch 9.2.0123: GTK: using deprecated gdk_pixbuf_new_from_xpm_data()
2026-03-08 20:10:03 +00:00
vim16x16.gif
vim16x16.png
vim16x16.xpm
vim32x32_png.h
patch 9.2.0123: GTK: using deprecated gdk_pixbuf_new_from_xpm_data()
2026-03-08 20:10:03 +00:00
vim32x32.gif
vim32x32.png
vim32x32.xpm
vim48x48_png.h
patch 9.2.0123: GTK: using deprecated gdk_pixbuf_new_from_xpm_data()
2026-03-08 20:10:03 +00:00
vim48x48.gif
vim48x48.png
vim48x48.xpm
vim.desktop
translation: Regenerate desktop files in runtime directory
2026-03-22 16:27:43 +00:00
vimlogo.cdr
vimlogo.eps
vimlogo.gif
vimlogo.pdf
vimlogo.svg
vimlogo.xpm
vimrc_example.vim
xdg.vim