Re: feedkeys() allowed in sandbox

Sat, 28 Apr 2007 12:50:30 -0700 

Andrew Maykov wrote:

> On 4/28/07, Bram Moolenaar <[EMAIL PROTECTED]> wrote:
>  >It's better to make sure the sandbox works as it should.
> Yet another function to disable in sandbox:
> vi: fdm=expr fde=writefile([""],"phantom_was_here")

Yep, you found another one.  Seems some of the new functions added in
Vim 7 were not properly checked for sandbox use.  I think system()
should also not write the "input" argument to a file.  It's quite
harmless, since you can't control the file name, but the shell command
is going to fail anyway.  None of the others appear to be harmful.

> Proposal. Maybe it's sane to put  security checks not just in
> functions like f_writefile(), but also put it to the core of fileio,
> e.g. if mch_fopen macro will check permissions before actual openning
> file, then f_writefile() and freinds if any will fail to harm user.
> 
> i.e. replace something like this:
> =CUT============================
> --- macros.h.orig       2007-04-29 00:57:16.000000000 +0700
> +++ macros.h    2007-04-29 00:58:38.000000000 +0700
> @@ -149,7 +149,7 @@
>  #ifdef VMS
>  # define mch_access(n, p)      access(vms_fixfilename(n), (p))
>                                 /* see mch_open() comment */
> -# define mch_fopen(n, p)       fopen(vms_fixfilename(n), (p))
> +# define mch_fopen_impl(n, p)  fopen(vms_fixfilename(n), (p))
>  # define mch_fstat(n, p)       fstat(vms_fixfilename(n), (p))
>         /* VMS does not have lstat() */
>  # define mch_stat(n, p)                stat(vms_fixfilename(n), (p))
> @@ -158,7 +158,7 @@
>  #   define mch_access(n, p)    access((n), (p))
>  # endif
>  # if !(defined(FEAT_MBYTE) && defined(WIN3264))
> -#  define mch_fopen(n, p)      fopen((n), (p))
> +#  define mch_fopen_impl(n, p) fopen((n), (p))
>  # endif
>  # define mch_fstat(n, p)       fstat((n), (p))
>  # ifdef MSWIN  /* has it's own mch_stat() function */
> @@ -174,6 +174,9 @@
>  # endif
>  #endif
> 
> +
> +#define mch_fopen(n, p)        ( check_secure() ? NULL : mch_fopen_impl(n,p) 
> )
> +
>  #ifdef HAVE_LSTAT
>  # define mch_lstat(n, p)       lstat((n), (p))
>  #else
> =/CUT===========================

I don't like this solution.  Opening some files would be OK in the
sandbox, e.g., for reading.  readfile() would be OK in the sandbox,
right?

-- 
How To Keep A Healthy Level Of Insanity:
15. Five days in advance, tell your friends you can't attend their
    party because you're not in the mood.

 /// Bram Moolenaar -- [EMAIL PROTECTED] -- http://www.Moolenaar.net   \\\
///        sponsor Vim, vote for features -- http://www.Vim.org/sponsor/ \\\
\\\        download, build and distribute -- http://www.A-A-P.org        ///
 \\\            help me help AIDS victims -- http://ICCF-Holland.org    ///

Reply via email to