vim
diff --git a/‎Filelist
Copy file name to clipboard
+1Lines changed: 1 addition & 0 deletions b/‎Filelist
Copy file name to clipboard
+1Lines changed: 1 addition & 0 deletions
diff --git a/‎runtime/autoload/zip.vim
Copy file name to clipboard
+51-43Lines changed: 51 additions & 43 deletions b/‎runtime/autoload/zip.vim
Copy file name to clipboard
+51-43Lines changed: 51 additions & 43 deletions
diff --git a/‎runtime/doc/pi_zip.txt
Copy file name to clipboard
+13-1Lines changed: 13 additions & 1 deletion b/‎runtime/doc/pi_zip.txt
Copy file name to clipboard
+13-1Lines changed: 13 additions & 1 deletion
@@ -212,6 +212,7 @@ SRC_ALL =	\
 		src/testdir/samples/*.html \
 		src/testdir/samples/*.txt \
 		src/testdir/samples/*.vim \
+		src/testdir/samples/evil.zip \
 		src/testdir/samples/poc.zip \
 		src/testdir/samples/test.zip \
 		src/testdir/samples/test000 \
 
@@ -15,6 +15,7 @@
 " 2024 Aug 18 by Vim Project: correctly handle special globbing chars
 " 2024 Aug 21 by Vim Project: simplify condition to detect MS-Windows
 " 2025 Mar 11 by Vim Project: handle filenames with leading '-' correctly
+" 2025 Jul 12 by Vim Project: drop ../ on write to prevent path traversal attacks
 " License:	Vim License  (see vim's :help license)
 " Copyright:	Copyright (C) 2005-2019 Charles E. Campbell {{{1
 "		Permission is hereby granted to use and distribute this code,
@@ -236,59 +237,62 @@ endfun
 " zip#Write: {{{2
 fun! zip#Write(fname)
   let dict = s:SetSaneOpts()
+  let need_rename = 0
   defer s:RestoreOpts(dict)
 
   " sanity checks
   if !executable(substitute(g:zip_zipcmd,'\s\+.*$','',''))
-   call s:Mess('Error', "***error*** (zip#Write) sorry, your system doesn't appear to have the ".g:zip_zipcmd." program")
-   return
-  endif
-  if !exists("*mkdir")
-   call s:Mess('Error', "***error*** (zip#Write) sorry, mkdir() doesn't work on your system")
-   return
+    call s:Mess('Error', "***error*** (zip#Write) sorry, your system doesn't appear to have the ".g:zip_zipcmd." program")
+    return
   endif
 
   let curdir= getcwd()
   let tmpdir= tempname()
   if tmpdir =~ '\.'
-   let tmpdir= substitute(tmpdir,'\.[^.]*$','','e')
+    let tmpdir= substitute(tmpdir,'\.[^.]*$','','e')
   endif
   call mkdir(tmpdir,"p")
 
   " attempt to change to the indicated directory
   if s:ChgDir(tmpdir,s:ERROR,"(zip#Write) cannot cd to temporary directory")
-   return
+    return
   endif
 
   " place temporary files under .../_ZIPVIM_/
   if isdirectory("_ZIPVIM_")
-   call delete("_ZIPVIM_", "rf")
+    call delete("_ZIPVIM_", "rf")
   endif
   call mkdir("_ZIPVIM_")
   cd _ZIPVIM_
 
   if has("unix")
-   let zipfile = substitute(a:fname,'zipfile://\(.\{-}\)::[^\\].*$','\1','')
-   let fname   = substitute(a:fname,'zipfile://.\{-}::\([^\\].*\)$','\1','')
+    let zipfile = substitute(a:fname,'zipfile://\(.\{-}\)::[^\\].*$','\1','')
+    let fname   = substitute(a:fname,'zipfile://.\{-}::\([^\\].*\)$','\1','')
   else
-   let zipfile = substitute(a:fname,'^.\{-}zipfile://\(.\{-}\)::[^\\].*$','\1','')
-   let fname   = substitute(a:fname,'^.\{-}zipfile://.\{-}::\([^\\].*\)$','\1','')
+    let zipfile = substitute(a:fname,'^.\{-}zipfile://\(.\{-}\)::[^\\].*$','\1','')
+    let fname   = substitute(a:fname,'^.\{-}zipfile://.\{-}::\([^\\].*\)$','\1','')
+  endif
+  if fname =~ '^[.]\{1,2}/'
+    call system(g:zip_zipcmd." -d ".s:Escape(fnamemodify(zipfile,":p"),0)." ".s:Escape(fname,0))
+    let fname = fname->substitute('^\([.]\{1,2}/\)\+', '', 'g')
+    let need_rename = 1
   endif
 
   if fname =~ '/'
-   let dirpath = substitute(fname,'/[^/]\+$','','e')
-   if has("win32unix") && executable("cygpath")
+    let dirpath = substitute(fname,'/[^/]\+$','','e')
+    if has("win32unix") && executable("cygpath")
     let dirpath = substitute(system("cygpath ".s:Escape(dirpath,0)),'\n','','e')
-   endif
-   call mkdir(dirpath,"p")
+    endif
+    call mkdir(dirpath,"p")
   endif
   if zipfile !~ '/'
-   let zipfile= curdir.'/'.zipfile
+    let zipfile= curdir.'/'.zipfile
   endif
 
-  exe "w! ".fnameescape(fname)
+  " don't overwrite files forcefully
+  exe "w ".fnameescape(fname)
   if has("win32unix") && executable("cygpath")
-   let zipfile = substitute(system("cygpath ".s:Escape(zipfile,0)),'\n','','e')
+    let zipfile = substitute(system("cygpath ".s:Escape(zipfile,0)),'\n','','e')
   endif
 
   if (has("win32") || has("win95") || has("win64") || has("win16")) && &shell !~? 'sh$'
@@ -297,21 +301,24 @@ fun! zip#Write(fname)
 
   call system(g:zip_zipcmd." -u ".s:Escape(fnamemodify(zipfile,":p"),0)." ".s:Escape(fname,0))
   if v:shell_error != 0
-   call s:Mess('Error', "***error*** (zip#Write) sorry, unable to update ".zipfile." with ".fname)
+    call s:Mess('Error', "***error*** (zip#Write) sorry, unable to update ".zipfile." with ".fname)
 
   elseif s:zipfile_{winnr()} =~ '^\a\+://'
-   " support writing zipfiles across a network
-   let netzipfile= s:zipfile_{winnr()}
-   1split|enew
-   let binkeep= &binary
-   let eikeep = &ei
-   set binary ei=all
-   exe "noswapfile e! ".fnameescape(zipfile)
-   call netrw#NetWrite(netzipfile)
-   let &ei     = eikeep
-   let &binary = binkeep
-   q!
-   unlet s:zipfile_{winnr()}
+    " support writing zipfiles across a network
+    let netzipfile= s:zipfile_{winnr()}
+    1split|enew
+    let binkeep= &binary
+    let eikeep = &ei
+    set binary ei=all
+    exe "noswapfile e! ".fnameescape(zipfile)
+    call netrw#NetWrite(netzipfile)
+    let &ei     = eikeep
+    let &binary = binkeep
+    q!
+    unlet s:zipfile_{winnr()}
+  elseif need_rename
+    exe $"sil keepalt file {fnameescape($"zipfile://{zipfile}::{fname}")}"
+    call s:Mess('Warning', "***error*** (zip#Browse) Path Traversal Attack detected, dropping relative path")
   endif
 
   " cleanup and restore current directory
@@ -320,7 +327,6 @@ fun! zip#Write(fname)
   call s:ChgDir(curdir,s:WARNING,"(zip#Write) unable to return to ".curdir."!")
   call delete(tmpdir, "rf")
   setlocal nomod
-
 endfun
 
 " ---------------------------------------------------------------------
@@ -333,15 +339,18 @@ fun! zip#Extract()
 
   " sanity check
   if fname =~ '^"'
-   return
+    return
   endif
   if fname =~ '/$'
-   call s:Mess('Error', "***error*** (zip#Extract) Please specify a file, not a directory")
-   return
+    call s:Mess('Error', "***error*** (zip#Extract) Please specify a file, not a directory")
+    return
+  elseif fname =~ '^[.]\?[.]/'
+    call s:Mess('Error', "***error*** (zip#Browse) Path Traversal Attack detected, not extracting!")
+    return
   endif
   if filereadable(fname)
-   call s:Mess('Error', "***error*** (zip#Extract) <" .. fname .."> already exists in directory, not overwriting!")
-   return
+    call s:Mess('Error', "***error*** (zip#Extract) <" .. fname .."> already exists in directory, not overwriting!")
+    return
   endif
   let target = fname->substitute('\[', '[[]', 'g')
   " unzip 6.0 does not support -- to denote end-of-arguments
@@ -363,13 +372,12 @@ fun! zip#Extract()
   " extract the file mentioned under the cursor
   call system($"{g:zip_extractcmd} -o {shellescape(b:zipfile)} {target}")
   if v:shell_error != 0
-   call s:Mess('Error', "***error*** ".g:zip_extractcmd." ".b:zipfile." ".fname.": failed!")
+    call s:Mess('Error', "***error*** ".g:zip_extractcmd." ".b:zipfile." ".fname.": failed!")
   elseif !filereadable(fname)
-   call s:Mess('Error', "***error*** attempted to extract ".fname." but it doesn't appear to be present!")
+    call s:Mess('Error', "***error*** attempted to extract ".fname." but it doesn't appear to be present!")
   else
-   echomsg "***note*** successfully extracted ".fname
+    echomsg "***note*** successfully extracted ".fname
   endif
-
 endfun
 
 " ---------------------------------------------------------------------
 
@@ -1,4 +1,4 @@
-*pi_zip.txt*	For Vim version 9.1.  Last change: 2025 Apr 02
+*pi_zip.txt*	For Vim version 9.1.  Last change: 2025 Jul 15
 
 				+====================+
 				| Zip File Interface |
@@ -111,6 +111,18 @@ Copyright: Copyright (C) 2005-2015 Charles E Campbell	 *zip-copyright*
 
 ==============================================================================
 4. History							*zip-history* {{{1
+   unreleased:
+       Jul 12, 2025 * drop ../ on write to prevent path traversal attacks
+       Mar 11, 2025 * handle filenames with leading '-' correctly
+       Aug 21, 2024 * simplify condition to detect MS-Windows
+       Aug 18, 2024 * correctly handle special globbing chars
+       Aug 05, 2024 * clean-up and make it work with shellslash on Windows
+       Aug 05, 2024 * workaround for the FreeBSD's unzip
+       Aug 04, 2024 * escape '[' in name of file to be extracted
+       Jul 30, 2024 * fix opening remote zipfile
+       Jul 24, 2024 * use delete() function
+       Jul 23, 2024 * fix 'x' command
+       Jun 16, 2024 * handle whitespace on Windows properly (#14998)
    v33 Dec 07, 2021 * *.xlam mentioned twice in zipPlugin
    v32 Oct 22, 2021 * to avoid an issue with a vim 8.2 patch, zipfile: has
 		      been changed to zipfile:// . This often shows up