On Thu, Aug 21, 2008 at 12:55 AM, Bram Moolenaar <[EMAIL PROTECTED]> wrote:
>
> Matt Wozniski wrote:
>
>> Jan got the exploit right, but formatted his modeline wrong. Try this
>> document:
>> /* We use an obscure glibc function -- check out the man page! */
>> clockface = &(xclock)&pwnme (a, b, x + y);
>> /* vim: set iskeyword=a-z,&,),(: */
>>
>> Make sure ":verbose set isk?" correctly says
>> iskeyword=a-z,&,),(
>> Last set from modeline
>>
>> place your cursor on 'pwnme', and press K. xclock appears.
>
> Yeah, this is the kind of exploit where you have to tell the user to do
> something stupid and them blame Vim that the user is stupid.
Yeah, not a terribly serious exploit, more of an inconvenience when a
command does something other than you'd expect because of shell
expansion.
>> The browser being used has nothing to do with the exploit; it's all in
>> the shell expansions before the browser is launched. In fact, in
>> cases like this I don't think we should be using the shell at all, for
>> reasons just like this one. I can see no real argument for why K
>> ought to behave like:
>> exe '!' . &kp . ' ' . expand("<cword>")
>>
>> Is there any reason why we would ever want shell syntax to affect
>> keyword lookups? I think that K ought to behave more like
>> execlp(&kp, &kp, expand("<cword>"), (char *)NULL);
>> Of course, this is muddled C and Vimscript pseudo-code, but you get the idea.
>>
>> OTOH, :! probably ought to continue using the shell so that you can
>> do, for instance,
>> :!ls | grep foo
>
> The command executed can be an shell alias. The command may not be in
> $PATH. And a few other reasons we don't see right now.
execlp() handles commands not in $PATH just fine, as long as its first
parameter is an absolute or relative path, rather than just a
filename. And a shell alias being used there is definitely not a good
thing - and is not done by default. If you want to replace or create
a program, you create a script, if you want to change the way a
program is used interactively, you use an alias. Aliases are
certainly not designed to ever be called from an external program, and
forcing bash to pretend to be an interactive shell when it's not, in
fact, being used interactively, just for the sake of expanding
aliases, is a Bad Thing.
~Matt
--~--~---------~--~----~------------~-------~--~----~
You received this message from the "vim_dev" maillist.
For more information, visit http://www.vim.org/maillist.php
-~----------~----~----~----~------~----~------~--~---
