neovim

mirrors/neovim

Fork 0

mirror of https://github.com/neovim/neovim.git synced 2025-09-14 23:38:17 +00:00

Commit Graph

Author SHA1 Message Date

Author	SHA1	Message	Date
zeertzjq	5cfdd4d8b9	vim-patch:9.1.1551: [security]: path traversal issue in zip.vim (#34951 ) Problem: [security]: path traversal issue in zip.vim (@ax) Solution: drop leading ../ on write of zipfiles, don't forcefully overwrite existing files A zip plugin which contains filenames with leading '../' may cause confusion as to where the content will be extracted. Let's drop such things and make sure we use a relative filename instead and don't forcefully overwrite temporary files. Also, warn the user of such things. related: vim/vim#17733 `586294a041` vim-patch:e1044fb: runtime(zip): raise minimum Vim version to v9.0 vim-patch:e2d9b0d: runtime(zip): zip plugin does not work with Vim 9.0 Co-authored-by: Christian Brabandt <cb@256bit.org>	2025-07-16 01:08:57 +00:00
zeertzjq	b25527d20d	vim-patch:9.1.1198: [security]: potential data loss with zip.vim (#32867 ) Problem: [security]: potential data loss with zip.vim and special crafted zip files (RyotaK) Solution: use glob '[-]' to protect filenames starting with '-' Github Advisory: https://github.com/vim/vim/security/advisories/GHSA-693p-m996-3rmf `f209dcd3de` Co-authored-by: Christian Brabandt <cb@256bit.org>	2025-03-13 08:47:02 +08:00
zeertzjq	bb31814033	vim-patch:partial:9.1.1088: tests: plugin tests are named inconsistently (#32388 ) Problem: tests: plugin tests are named inconsistently Solution: group them under a common 'plugin' prefix related: vim/vim#16599 `934d9ab3a2` Co-authored-by: Christian Brabandt <cb@256bit.org>	2025-02-10 11:27:13 +08:00

zeertzjq

5cfdd4d8b9

vim-patch:9.1.1551: [security]: path traversal issue in zip.vim (#34951 )

Problem:  [security]: path traversal issue in zip.vim (@ax)
Solution: drop leading ../ on write of zipfiles, don't forcefully
          overwrite existing files

A zip plugin which contains filenames with leading '../'  may cause
confusion as to where the content will be extracted.  Let's drop such
things and make sure we use a relative filename instead and don't
forcefully overwrite temporary files. Also, warn the user of such
things.

related: vim/vim#17733

586294a041

vim-patch:e1044fb: runtime(zip): raise minimum Vim version to v9.0
vim-patch:e2d9b0d: runtime(zip): zip plugin does not work with Vim 9.0

Co-authored-by: Christian Brabandt <cb@256bit.org>

2025-07-16 01:08:57 +00:00

zeertzjq

b25527d20d

vim-patch:9.1.1198: [security]: potential data loss with zip.vim (#32867 )

Problem:  [security]: potential data loss with zip.vim and special
          crafted zip files (RyotaK)
Solution: use glob '[-]' to protect filenames starting with '-'

Github Advisory:
https://github.com/vim/vim/security/advisories/GHSA-693p-m996-3rmf

f209dcd3de

Co-authored-by: Christian Brabandt <cb@256bit.org>

2025-03-13 08:47:02 +08:00

zeertzjq

bb31814033

vim-patch:partial:9.1.1088: tests: plugin tests are named inconsistently (#32388 )

Problem:  tests: plugin tests are named inconsistently
Solution: group them under a common 'plugin' prefix

related: vim/vim#16599

934d9ab3a2

Co-authored-by: Christian Brabandt <cb@256bit.org>

2025-02-10 11:27:13 +08:00

3 Commits