On Wed, Mar 12, 2025 at 10:22:23PM +0100, Christian Brabandt wrote: > Therefore, Vim will try to work-around it by using the `[-]` glob when a > filename starts with a `-` to protect unzip from parsing the filename as > an argument, which is just an ugly work-around.
I was puzzled by this. I expected that if you were running unzip via the shell, then the glob pattern would be expanded back to a simple dash before being passed to unzip, and if you were running unzip directly then the glob pattern would never be expanded, so the brackets would break the intended behavior. However, it appears that unzip itself expands glob patterns even for archive names (not only for matching files in archives)? I guess this is unexpected by many unzip users, and it likely allows for other attacks on unzip and on the zip.vim plugin, by providing a filename that includes glob patterns in it so that a different archive would be processed. Otherwise, a workaround for the original issue would be to prefix the filename with ./ as we most recently discussed in this thread: https://www.openwall.com/lists/oss-security/2024/11/06/1 Alexander
