On 3/13/25 12:14 AM, Solar Designer wrote: > On Wed, Mar 12, 2025 at 10:22:23PM +0100, Christian Brabandt wrote: >> Therefore, Vim will try to work-around it by using the `[-]` glob when a >> filename starts with a `-` to protect unzip from parsing the filename as >> an argument, which is just an ugly work-around. > > I was puzzled by this. I expected that if you were running unzip via > the shell, then the glob pattern would be expanded back to a simple dash > before being passed to unzip, and if you were running unzip directly > then the glob pattern would never be expanded, so the brackets would > break the intended behavior. However, it appears that unzip itself > expands glob patterns even for archive names (not only for matching > files in archives)? I guess this is unexpected by many unzip users, and > it likely allows for other attacks on unzip and on the zip.vim plugin, > by providing a filename that includes glob patterns in it so that a > different archive would be processed.
It certainly surprised me! That being said, given the potential danger is I guess limited to extracting multiple archives you didn't expect but you still cannot control the location (without using the member-named-leading-dash-d trick as well) and you also have to convince the user to have multiple zip archives in the same directory, it seems harder to pull anything off like this. Note: unzip won't re-parse globs in a directory segment, only the final filename segment. > Otherwise, a workaround for the original issue would be to prefix the > filename with ./ as we most recently discussed in this thread: > > https://www.openwall.com/lists/oss-security/2024/11/06/1 unzip will not permit you to run: ``` unzip foo.zip ./dir1/member ``` in order to extract an archive member named "dir1/member". There is no ./ member in the archive, it's not resolved like a filesystem path. It will print a diagnostic: "caution: filename not matched: ./dir1/member" and exit 11 (no matching files were found.) -- Eli Schwartz
OpenPGP_signature.asc
Description: OpenPGP digital signature
