Tony Mechelynck wrote:
> Maybe you should set a config-time option (or create one) to
> avoid any interaction with the shell?
>
> Even better: If you don't want ever to become the victim of
> any exploit, turn your computer off at the wall switch and
> leave it off.
>
> :-b
I haven't studied this example, but as I understand it, the suggestion is that I
could send you a file with a message like "What's the deal with this weird
message
that Vim gives? Open file xxx and search for yyy then press K."
Jan is saying (I think) that following those instructions could execute malware.
Sure, it will never happen to me or you, but if we were discussing Microsoft
Word,
most people would have no hesitation in declaring that such a vulnerability
(press a
key in a document to get owned) is just NOT acceptable.
We aren't talking about mapping K to execute "system('dodgyfile')". K is
performing
its default function, but that function could exploit you if executed on certain
text, with a certain file present.
If my understanding is correct, I don't think it's reasonable to write this off
with
the "switch power off" joke (if I've got this wrong, please correct me).
Once again, thanks Jan!
John
--~--~---------~--~----~------------~-------~--~----~
You received this message from the "vim_dev" maillist.
For more information, visit http://www.vim.org/maillist.php
-~----------~----~----~----~------~----~------~--~---
