patch 9.1.1198: [security]: potential data loss with zip.vim
Problem: [security]: potential data loss with zip.vim and special
crafted zip files (RyotaK)
Solution: use glob '[-]' to protect filenames starting with '-'
Github Advisory:
https://github.com/vim/vim/security/advisories/GHSA-693p-m996-3rmf
Signed-off-by: Christian Brabandt <cb@256bit.org>
diff --git a/src/testdir/samples/poc.zip b/src/testdir/samples/poc.zip
new file mode 100644
index 0000000..8b2b44b
--- /dev/null
+++ b/src/testdir/samples/poc.zip
Binary files differ
diff --git a/src/testdir/test_plugin_zip.vim b/src/testdir/test_plugin_zip.vim
index e831f26..2050b4c 100644
--- a/src/testdir/test_plugin_zip.vim
+++ b/src/testdir/test_plugin_zip.vim
@@ -235,3 +235,26 @@
bw
enddef
+
+def Test_zip_fname_leading_hyphen()
+ CheckNotMSWindows
+
+ ### copy sample zip file
+ if !filecopy("samples/poc.zip", "X.zip")
+ assert_report("Can't copy samples/poc.zip")
+ return
+ endif
+ defer delete("X.zip")
+ defer delete('-d', 'rf')
+ defer delete('/tmp/pwned', 'rf')
+
+ e X.zip
+
+ :1
+ var fname = '-d/tmp'
+ search('\V' .. fname)
+ normal x
+ assert_true(filereadable('-d/tmp'))
+ assert_false(filereadable('/tmp/pwned'))
+ bw
+enddef
diff --git a/src/version.c b/src/version.c
index 65332f5..265081a 100644
--- a/src/version.c
+++ b/src/version.c
@@ -705,6 +705,8 @@
static int included_patches[] =
{ /* Add new patch number below this line */
/**/
+ 1198,
+/**/
1197,
/**/
1196,