Re: Last version of zip.vim still vulnerable

Sun, 13 Jul 2008 10:13:40 -0700 

On Sun, Jul 13, 2008 at 1:27 PM, Bram Moolenaar <[EMAIL PROTECTED]> wrote:
> Since Charles is probably not able to respond, I had a look myself.

He actually has responded (to me) -- and there's a new version of
zip.vim, "v21", which fixes the two remaining unsanitized exe
statements[0]

[0] http://mysite.verizon.net/astronaut/vim/index.html#ZIPHANDLER

I've added a test in the vulnerablevim testsuite, and made it available @

http://www.rdancer.org/vulnerablevim-latest.tar.bz2

Now there still is the issue of treating a file name as a commandline
switch.  Unfortunately, at least the zip(1) on my system [``Zip 2.32
(June 19th 2006), by Info-ZIP''] doesn't accept ``--'' to signal the
end of switches.  But the unzip(1) does.  See the attached patch --
should only work on POSIX systems.

Some issues still remain, such as zipplugin doesn't handle archives
with a double colon ``::'' in the file name.

Cheers,
Jan.

--~--~---------~--~----~------------~-------~--~----~
You received this message from the "vim_dev" maillist.
For more information, visit http://www.vim.org/maillist.php
-~----------~----~----~----~------~----~------~--~---


--- v20/zip.vim	2008-07-13 18:08:10.704383599 +0100
+++ runtime/autoload/zip.vim	2008-07-13 18:01:47.000000000 +0100
@@ -99,8 +99,8 @@
   0d
   $
 
-"  call Decho("exe silent r! ".g:zip_unzipcmd." -l ".s:Escape(a:zipfile,1))
-  exe "silent r! ".g:zip_unzipcmd." -l ".s:Escape(a:zipfile,1)
+"  call Decho("exe silent r! ".g:zip_unzipcmd." -l -- ".s:Escape(a:zipfile,1))
+  exe "silent r! ".g:zip_unzipcmd." -l -- ".s:Escape(a:zipfile,1)
   if v:shell_error != 0
    redraw!
    echohl WarningMsg | echo "***warning*** (zip#Browse) ".a:zipfile." is not a zip file" | echohl None
@@ -193,8 +193,8 @@
 "  call Decho("zipfile<".zipfile.">")
 "  call Decho("fname  <".fname.">")
 
-"  call Decho("exe r! ".g:zip_unzipcmd." -p ".s:Escape(zipfile,1)." ".s:Escape(fname,1))
-  exe "silent r! ".g:zip_unzipcmd." -p ".s:Escape(zipfile,1)." ".s:Escape(fname,1)
+"  call Decho("exe r! ".g:zip_unzipcmd." -p -- ".s:Escape(zipfile,1)." ".s:Escape(fname,1))
+  exe "silent r! ".g:zip_unzipcmd." -p -- ".s:Escape(zipfile,1)." ".s:Escape(fname,1)
 
   " cleanup
   0d
@@ -286,8 +286,8 @@
     let fname = substitute(fname, '[', '[[]', 'g')
   endif
 
-"  call Decho(g:zip_zipcmd." -u ".s:Escape(zipfile,0)." ".s:Escape(fname,0))
-  call system(g:zip_zipcmd." -u ".s:Escape(zipfile,0)." ".s:Escape(fname,0))
+"  call Decho(g:zip_zipcmd." -u ".s:Escape(fnamemodify(zipfile,":p),0)." ./".s:Escape(fname,0))
+  call system(g:zip_zipcmd." -u ".s:Escape(fnamemodify(zipfile,":p"),0)." ./".s:Escape(fname,0))
   if v:shell_error != 0
    redraw!
    echohl Error | echo "***error*** (zip#Write) sorry, unable to update ".zipfile." with ".fname | echohl None

Raspunde prin e-mail lui