From 7088926316d8d4a7572a242d0765e99adfc8b083 Mon Sep 17 00:00:00 2001
From: Christian Brabandt <cb@256bit.org>
Date: Wed, 1 Apr 2026 16:23:49 +0000
Subject: patch 9.2.0280: [security]: path traversal issue in zip.vim
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Problem:  [security]: path traversal issue in zip.vim
          (Michał Majchrowicz)
Solution: Detect more such attacks and warn the user.

Github Advisory:
https://github.com/vim/vim/security/advisories/GHSA-jc86-w7vm-8p24

Signed-off-by: Christian Brabandt <cb@256bit.org>
---
 src/testdir/samples/evil.zip    | Bin 148 -> 413 bytes
 src/testdir/test_plugin_zip.vim |  22 ++++++++++++++++++++++
 2 files changed, 22 insertions(+)

(limited to 'src/testdir')

diff --git a/src/testdir/samples/evil.zip b/src/testdir/samples/evil.zip
index e0a7f96141..17cffadf93 100644
Binary files a/src/testdir/samples/evil.zip and b/src/testdir/samples/evil.zip differ
diff --git a/src/testdir/test_plugin_zip.vim b/src/testdir/test_plugin_zip.vim
index 08f8223b60..53b6120834 100644
--- a/src/testdir/test_plugin_zip.vim
+++ b/src/testdir/test_plugin_zip.vim
@@ -274,3 +274,25 @@ def g:Test_zip_fname_evil_path()
   assert_match('zipfile://.*::etc/ax-pwn', @%)
   bw
 enddef
+
+def g:Test_zip_fname_evil_path2()
+  CheckNotMSWindows
+  # needed for writing the zip file
+  CheckExecutable zip
+
+  CopyZipFile("evil.zip")
+  defer delete("X.zip")
+  e X.zip
+
+  :1
+  var fname = 'foobar'
+  search('\V' .. fname)
+  exe "normal \<cr>"
+  normal x
+  assert_false(filereadable('/tmp/foobar'))
+  :w
+  var mess  = execute(':mess')
+  assert_match('Path Traversal Attack', mess)
+  assert_match('zipfile://.*::.*tmp/foobar', @%)
+  bw!
+enddef
-- 
cgit 0.0.5-2-1-g0f52