Yegappan Lakshmanan wrote:
> On Sat, Jun 14, 2008 at 6:09 AM, Bram Moolenaar <[EMAIL PROTECTED]> wrote: > > > > Jan Minar wrote: > > > >> 1. Summary > >> > >> Product : Vim -- Vi IMproved > >> Version : Tested with 7.1.314 and 6.4 > >> Impact : Arbitrary code execution > >> Wherefrom: Local and remote > >> Original : http://www.rdancer.org/vulnerablevim.html > >> > >> Improper quoting in some parts of Vim written in the Vim Script can lead to > >> arbitrary code execution upon opening a crafted file. > > > > Thanks to Jan for finding these problems and explaining them > > exhaustively. I received a note a month ago and all reported problems > > have been fixed. Either by patches or updates to the runtime files. > > > > What are the suggested changes to prevent the above types of exploits in > Vim plugins that are not shipped with Vim, but used by many users? > > I see from the above page that most of the exploits are because of the use of > the "execute" command with a filename. Can we use the following code to fix > this exploit in other Vim plugins? > > let s:esc_filename_chars = ' *?`%#"|!<' . "'\t\n" > let esc_fname = escape(fname, s:esc_filename_chars) > > Many of these plugins are used with earlier versions of Vim. So we > cannot use the new fnameescape() function. If you use a file name in combination with commands like ":edit" and ":write" you need to escape special characters. What you mention will mostly do the trick. A problem is the backslash itself: On Unix you need to escape it, on MS-Windows it depends on whether the next character is a normal file name character. Thus you should use fnameescape() whenever it is available. Note that this exploit is very weak, since you need to somehow have the user edit a weird file name. But the escaping also helps to edit files with special characters. -- The technology involved in making anything invisible is so infinitely complex that nine hundred and ninety-nine billion, nine hundred and ninety-nine million, nine hundred and ninety-nine thousand, nine hundred and ninety-nine times out of a trillion it is much simpler and more effective just to take the thing away and do without it. -- Douglas Adams, "The Hitchhiker's Guide to the Galaxy" /// Bram Moolenaar -- [EMAIL PROTECTED] -- http://www.Moolenaar.net \\\ /// sponsor Vim, vote for features -- http://www.Vim.org/sponsor/ \\\ \\\ download, build and distribute -- http://www.A-A-P.org /// \\\ help me help AIDS victims -- http://ICCF-Holland.org /// --~--~---------~--~----~------------~-------~--~----~ You received this message from the "vim_dev" maillist. For more information, visit http://www.vim.org/maillist.php -~----------~----~----~----~------~----~------~--~---
