patch 9.1.1551: [security]: path traversal issue in zip.vim

Problem: [security]: path traversal issue in zip.vim (@ax) Solution: drop leading ../ on write of zipfiles, don't forcefully overwrite existing files A zip plugin which contains filenames with leading '../' may cause confusion as to where the content will be extracted. Let's drop such things and make sure we use a relative filename instead and don't forcefully overwrite temporary files. Also, warn the user of such things. related: #17733 Signed-off-by: Christian Brabandt <cb@256bit.org>
2025-07-15 21:43:01 +02:00
parent 3f9d2378bd
commit 586294a041
7 changed files with 185 additions and 144 deletions
--- a/1
+++ b/1
@ -212,6 +212,7 @@ SRC_ALL =	\
 		src/testdir/samples/*.html \
 		src/testdir/samples/*.txt \
 		src/testdir/samples/*.vim \
+		src/testdir/samples/evil.zip \
 		src/testdir/samples/poc.zip \
 		src/testdir/samples/test.zip \
 		src/testdir/samples/test000 \