On 21/08/08 08:25, Matt Wozniski wrote:
[...]
> In that vein, perhaps using the shell should be an option... but
> doubtless the best default behavior is to use system(3) for places
> like :! where shell expansion is good,and execlp() for those places
> where we decidedly don't want any shell expansion. Relying on uniform
> escaping required for /bin/sh is still not terribly easy, but it's a
> much less moving target than escaping for every possible shell... It
> just strikes me that vim's present use of the user's shell is
> inherently impossible to sanitize, and thus inherently insecure for at
> least the simplistic "file name has a command embedded" sort of
> attack...
>
> ~Matt
From man 3 execlp
[...]
> The exec() family of functions replaces the current process image with
> a new process image. [...]
>
> If any of the exec() functions returns, an error will have occurred.
> The return value is -1, and the global variable errno will be set to
> indicate the error.
[...]
Are you sure that where we used to call the shell, you want to replace
the whole Vim process by something else unless an error occurs?
Best regards,
Tony.
--
Character Density, n.:
The number of very weird people in the office.
--~--~---------~--~----~------------~-------~--~----~
You received this message from the "vim_dev" maillist.
For more information, visit http://www.vim.org/maillist.php
-~----------~----~----~----~------~----~------~--~---
