From 3e2ce64f88bc01d4254877f748b84b7a5c9a7c62 Mon Sep 17 00:00:00 2001
From: zeertzjq <zeertzjq@outlook.com>
Date: Thu, 2 Apr 2026 06:23:23 +0800
Subject: [PATCH] vim-patch:9.2.0280: [security]: path traversal issue in
 zip.vim (#38693)
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Problem:  [security]: path traversal issue in zip.vim
          (Michał Majchrowicz)
Solution: Detect more such attacks and warn the user.

Github Advisory:
https://github.com/vim/vim/security/advisories/GHSA-jc86-w7vm-8p24

https://github.com/vim/vim/commit/7088926316d8d4a7572a242d0765e99adfc8b083

Co-authored-by: Christian Brabandt <cb@256bit.org>
(cherry picked from commit 0851ac2706e9ea174222e781ccaf598e760dcc67)
---
 runtime/autoload/zip.vim             |   8 +++++++-
 test/old/testdir/samples/evil.zip    | Bin 148 -> 413 bytes
 test/old/testdir/test_plugin_zip.vim |  22 ++++++++++++++++++++++
 3 files changed, 29 insertions(+), 1 deletion(-)

diff --git a/runtime/autoload/zip.vim b/runtime/autoload/zip.vim
index 4bedcc9173..473b83ca14 100644
--- a/runtime/autoload/zip.vim
+++ b/runtime/autoload/zip.vim
@@ -20,6 +20,7 @@
 " 2025 Dec 20 by Vim Project: use :lcd instead of :cd
 " 2026 Feb 08 by Vim Project: use system() instead of :!
 " 2026 Mar 08 by Vim Project: Make ZipUpdatePS() check for powershell
+" 2026 Apr 01 by Vim Project: Detect more path traversal attacks
 " License:	Vim License  (see vim's :help license)
 " Copyright:	Copyright (C) 2005-2019 Charles E. Campbell {{{1
 "		Permission is hereby granted to use and distribute this code,
@@ -367,6 +368,11 @@ fun! zip#Write(fname)
     return
   endif
 
+  if simplify(a:fname) =~ '\.\.[/\\]'
+    call s:Mess('Error', "***error*** (zip#Write) Path Traversal Attack detected, not writing!")
+    return
+  endif
+
   let curdir= getcwd()
   let tmpdir= tempname()
   if tmpdir =~ '\.'
@@ -481,7 +487,7 @@ fun! zip#Extract()
   if fname =~ '/$'
     call s:Mess('Error', "***error*** (zip#Extract) Please specify a file, not a directory")
     return
-  elseif fname =~ '^[.]\?[.]/'
+  elseif fname =~ '^[.]\?[.]/' || simplify(fname) =~ '\.\.[/\\]'
     call s:Mess('Error', "***error*** (zip#Browse) Path Traversal Attack detected, not extracting!")
     return
   endif
diff --git a/test/old/testdir/samples/evil.zip b/test/old/testdir/samples/evil.zip
index e0a7f96141eed3ec5de68babd9d8bef7c72e5845..17cffadf934580090ebe2b3d3876edec14767658 100644
GIT binary patch
literal 413
zcmWIWW@Zs#00E(lH&MUiHn*}dFff3y7y|=?o}NA&rIsY?Csybdl;;(c=cT4_fpl_#
zG%`G`YmBK2X1U4Az`y{)P7E>(i3p8w6Nq7y<QC|s<>x0Q7KMgzGBDq@Kbr}{r4`%^
zj4Ush85qC>*aZRJj7%cTxE&968v_HwmPQZ@*>Z$eKxW7><MM_CNFxIy*bFNM2C8_9
b72+v04+VI$g2J4EiGhjX3<CqhZm`V&EF@Gb

delta 30
jcmbQsJcV(B&BVPfBCKo-3=9m642%pe3=9lbAPxfnVx<H#

diff --git a/test/old/testdir/test_plugin_zip.vim b/test/old/testdir/test_plugin_zip.vim
index ac1e102a87..06e60fd7bb 100644
--- a/test/old/testdir/test_plugin_zip.vim
+++ b/test/old/testdir/test_plugin_zip.vim
@@ -275,3 +275,25 @@ func Test_zip_fname_evil_path()
   call assert_match('zipfile://.*::etc/ax-pwn', @%)
   bw
 endfunc
+
+func Test_zip_fname_evil_path2()
+  CheckNotMSWindows
+  " needed for writing the zip file
+  CheckExecutable zip
+
+  call s:CopyZipFile("evil.zip")
+  defer delete("X.zip")
+  e X.zip
+
+  :1
+  let fname = 'foobar'
+  call search('\V' .. fname)
+  exe "normal \<cr>"
+  normal x
+  call assert_false(filereadable('/tmp/foobar'))
+  :w
+  let mess  = execute(':mess')
+  call assert_match('Path Traversal Attack', mess)
+  call assert_match('zipfile://.*::.*tmp/foobar', @%)
+  bw!
+endfunc