Problem: runtime(vimball): still path traversal attacks possible
Solution: block Windows driver letter paths (Yasuhiro Matsumoto)
The path traversal check in vimball#Vimball() did not reject file
names starting with a Windows drive letter (e.g. "C:/foo"). Backslashes
are normalized to forward slashes earlier, so UNC paths are caught by
the leading-slash check, but absolute drive-letter paths slipped
through and could write outside of g:vimball_home on Windows.
Add a "^\a:" check next to the existing "^/" check, and cover it with
a new test.
closes: #19989
Signed-off-by: Yasuhiro Matsumoto <mattn.jp@gmail.com>
Signed-off-by: Christian Brabandt <cb@256bit.org>
Problem: The vimball plugin needs some love
(syndicate)
Solution: Clean-up, refactor and update the plugin,
in particular, catch path traversal attacks
This change does the following
- Clean up Indentation and remove calls to Decho
- Increase minimum Vim version to 7.4 for mkdir()
- Use mkdir() consistently
- Update Metadata Header
- Remove check for fnameescape()
- Catch path traversal attacks
- Add vimball basic tests
- Remove mentioning of g:vimball_mkdir in documentation
closes: #19921
Signed-off-by: Christian Brabandt <cb@256bit.org>
Yasuhiro Matsumoto
Christian Brabandt
Jim Zhou
Bram Moolenaar