Jan Minar wrote:
> 1. Summary > > Product : Vim -- Vi IMproved > Version : >= 7.2a.013; tested with 7.2b > Impact : Arbitrary code execution > Wherefrom: Local, possibly remote > Original : http://www.rdancer.org/vulnerablevim-shellescape.html > http://www.rdancer.org/vulnerablevim-latest.tar.bz2 > > Improper implementation of the shellescape() function and lack of > documentation can result in untrusted data being insufficiently > sanitized, possibly leading to arbitrary code execution. I'm glad to see you persist in finding more problems. > 2. Background > > The shellescape() function, added by patch 7.0.111, has since been > modified in 7.2a.013 to escape special characters, so as to be useful > when sanitizing arguments of the ``execute'' command: > > > ``shellescape({string} [, {special}]) > Escape {string} for use as shell command argument. > [...] > When the {special} argument is present and it's a non-zero Number or > a non-empty String [...], then special items such as "%", "#" and > "<cword>" will be preceded by a backslash. This backslash will be > removed again by the :! command. Example of use with a :! command: > :exe '!dir ' . shellescape(expand('<cfile>'), 1) > This results in a directory listing for the file under the cursor.'' > > -- Vim Reference Manual (``eval.txt'') > > > 3. Vulnerability > > shellescape() does not escape all special items. In particular, > shellescape() does not escape the ``!'' character. > > The Vim documentation lacks a comprehensive explicit list of special > items. This might have been the reason why patch 7.2a.013 failed to > acknowledge ``!'' as a special item. The "!" character is a special character in another way. It's replaced in a different location. While looking into this I noticed that csh and tcsh also handle "!" as a special character, even within a single quoted string. So it has to be escaped another time for these shells. It appears another character that needs to be escape is NL. I'll try that out. File names with an embedded newline are quite difficult to handle anyway. Please let me know if you suspect any other character needs escaping. -- hundred-and-one symptoms of being an internet addict: 252. You vote for foreign officials. /// Bram Moolenaar -- [EMAIL PROTECTED] -- http://www.Moolenaar.net \\\ /// sponsor Vim, vote for features -- http://www.Vim.org/sponsor/ \\\ \\\ download, build and distribute -- http://www.A-A-P.org /// \\\ help me help AIDS victims -- http://ICCF-Holland.org /// --~--~---------~--~----~------------~-------~--~----~ You received this message from the "vim_dev" maillist. For more information, visit http://www.vim.org/maillist.php -~----------~----~----~----~------~----~------~--~---
