From b25527d20d9a5ae25f4a5e2d2d487e2eac731b2c Mon Sep 17 00:00:00 2001
From: zeertzjq <zeertzjq@outlook.com>
Date: Thu, 13 Mar 2025 08:47:02 +0800
Subject: vim-patch:9.1.1198: [security]: potential data loss with zip.vim
 (#32867)

Problem:  [security]: potential data loss with zip.vim and special
          crafted zip files (RyotaK)
Solution: use glob '[-]' to protect filenames starting with '-'

Github Advisory:
https://github.com/vim/vim/security/advisories/GHSA-693p-m996-3rmf

https://github.com/vim/vim/commit/f209dcd3defb95bae21b2740910e6aa7bb940531

Co-authored-by: Christian Brabandt <cb@256bit.org>
---
 test/old/testdir/samples/poc.zip     | Bin 0 -> 306 bytes
 test/old/testdir/test_plugin_zip.vim |  23 +++++++++++++++++++++++
 2 files changed, 23 insertions(+)
 create mode 100644 test/old/testdir/samples/poc.zip

(limited to 'test')

diff --git a/test/old/testdir/samples/poc.zip b/test/old/testdir/samples/poc.zip
new file mode 100644
index 0000000000..8b2b44b96a
Binary files /dev/null and b/test/old/testdir/samples/poc.zip differ
diff --git a/test/old/testdir/test_plugin_zip.vim b/test/old/testdir/test_plugin_zip.vim
index a817d8371e..ba0a6778bc 100644
--- a/test/old/testdir/test_plugin_zip.vim
+++ b/test/old/testdir/test_plugin_zip.vim
@@ -235,3 +235,26 @@ func Test_zip_glob_fname()
 
   bw
 endfunc
+
+func Test_zip_fname_leading_hyphen()
+  CheckNotMSWindows
+
+  "## copy sample zip file
+  if !filecopy("samples/poc.zip", "X.zip")
+    call assert_report("Can't copy samples/poc.zip")
+    return
+  endif
+  defer delete("X.zip")
+  defer delete('-d', 'rf')
+  defer delete('/tmp/pwned', 'rf')
+
+  e X.zip
+
+  :1
+  let fname = '-d/tmp'
+  call search('\V' .. fname)
+  normal x
+  call assert_true(filereadable('-d/tmp'))
+  call assert_false(filereadable('/tmp/pwned'))
+  bw
+endfunc
-- 
cgit