patch 9.1.1552: [security]: path traversal issue in tar.vim
Problem: [security]: path traversal issue in tar.vim
(@ax)
Solution: warn the user for such things, drop leading /, don't
forcefully overwrite files when writing temporary files,
refactor autoload/tar.vim
tar.vim: drop leading / in path names
A tar archive containing files with leading `/` may cause confusions as
to where the content is extracted. Let's make sure we drop the leading
`/` and use a relative path instead.
Also while at it, had to refactor it quite a bit and increase the
minimum supported Vim version to v9. Also add a test for some basic tar
functionality
closes: #17733
This commit is contained in:
Christian Brabandt
@ -1,11 +1,10 @@
|
||||
*pi_tar.txt* For Vim version 9.1. Last change: 2025 Mar 16
|
||||
*pi_tar.txt* For Vim version 9.1. Last change: 2025 Jul 15
|
||||
|
||||
+====================+
|
||||
| Tar File Interface |
|
||||
+====================+
|
||||
|
||||
Author: Charles E. Campbell <NcampObell@SdrPchip.AorgM-NOSPAM>
|
||||
(remove NOSPAM from Campbell's email first)
|
||||
Original Author: Charles E. Campbell
|
||||
Copyright 2005-2017: *tar-copyright*
|
||||
The VIM LICENSE (see |copyright|) applies to the files in this
|
||||
package, including tarPlugin.vim, tar.vim, and pi_tar.txt. Like
|
||||
@ -61,7 +60,7 @@ Copyright 2005-2017: *tar-copyright*
|
||||
the file mentioned in the tarball. If the current directory is not
|
||||
correct for that path, :TarDiff will fail to find the associated file.
|
||||
|
||||
If the [filename] is given, that that filename (and path) will be used
|
||||
If the [filename] is given, that filename (and path) will be used
|
||||
to specify the associated file.
|
||||
|
||||
|
||||
@ -95,24 +94,25 @@ Copyright 2005-2017: *tar-copyright*
|
||||
*g:tar_readoptions* "OPxf" used to extract a file from a tarball
|
||||
*g:tar_cmd* "tar" the name of the tar program
|
||||
*g:tar_nomax* 0 if true, file window will not be maximized
|
||||
*g:tar_secure* undef if exists:
|
||||
"--"s will be used to prevent unwanted
|
||||
option expansion in tar commands.
|
||||
Please be sure that your tar command
|
||||
accepts "--"; Posix compliant tar
|
||||
utilities do accept them.
|
||||
if not exists:
|
||||
The tar plugin will reject any tar
|
||||
files or member files that begin with
|
||||
"-"
|
||||
Not all tar's support the "--" which is why
|
||||
it isn't default.
|
||||
*g:tar_writeoptions* "uf" used to update/replace a file
|
||||
|
||||
|
||||
==============================================================================
|
||||
4. History *tar-history*
|
||||
|
||||
unreleased:
|
||||
Jul 13, 2025 * drop leading /
|
||||
May 19, 2025 * restore working directory after read/write
|
||||
Apr 16, 2025 * decouple from netrw by adding s:WinPath()
|
||||
instead of shelling out to file(1)
|
||||
Mar 02, 2025 * determine the compression using readblob()
|
||||
Mar 02, 2025 * escape the filename before using :read
|
||||
Mar 01, 2025 * fix syntax error in tar#Read()
|
||||
Feb 28, 2025 * add support for bzip3 (#16755)
|
||||
Feb 06, 2025 * add support for lz4 (#16591)
|
||||
Nov 11, 2024 * support permissions (#7379)
|
||||
Feb 19, 2024 * announce adoption
|
||||
Jan 08, 2024 * fix a few problems (#138331, #12637, #8109)
|
||||
v31 Apr 02, 2017 * (klartext) reported that browsing encrypted
|
||||
files in a zip archive created unencrypted
|
||||
swap files. I am applying a similar fix
|
||||
|
||||
@ -7857,7 +7857,6 @@ g:tar_copycmd pi_tar.txt /*g:tar_copycmd*
|
||||
g:tar_extractcmd pi_tar.txt /*g:tar_extractcmd*
|
||||
g:tar_nomax pi_tar.txt /*g:tar_nomax*
|
||||
g:tar_readoptions pi_tar.txt /*g:tar_readoptions*
|
||||
g:tar_secure pi_tar.txt /*g:tar_secure*
|
||||
g:tar_writeoptions pi_tar.txt /*g:tar_writeoptions*
|
||||
g:termdebug_config terminal.txt /*g:termdebug_config*
|
||||
g:termdebugger terminal.txt /*g:termdebugger*
|
||||
|
||||
Reference in New Issue
Block a user