Hi guys,
I went through the list of emails about this topic and am a little
confused why it is being such a fuss. Apologies in advance if i'm
talking out of my ass but, at least according to my understanding, there
is no way for Vim to be immune to content pasted into it.
Vim is as much a scripting environment as is perl or python (you can
even execute python with a clever paste).
> >>> Yeah - worse - its the recommended way because "shell code on websites"
> >>> could have <span hidden>...</span> code. Thus pasting into an editor
> >>> before running usually is the way to go. If that action is exploitable
> >>> it should be fixed in some way - and the :r!cat way is worth testing as
> >>> well to be sure.
Assuming <span hidden> you could add almost any control characters to
the paste, and, given that you can paste either <esc> or the mentioned
<c-V> (Ctrl+Shift+v) you're already in trouble.
If you can paste <esc> into Vim, and am pretty sure I can do that since
the clipboard is a byte buffer you can execute anything. For example,
on my machine I do
printf "%s" '^[:!echo vulnerable > ~/vulnerable^M' |
xclip -selection clipboard
xclip -selection clipboard is a good simulation of typing <C-c> in a
browser since they perform exactly the same, they place the bytes in the
same Xorg clipboard.
Now I use the rxvt/xterm default <c-V> (Ctrl+Shift+v) whilst Vim is in
INSERT mode and I get a file created in my home directory.
Note: I used terminal escapes to build ^[ (0x1b) and ^M (0xc).
------
This is common to all scripting environments and there isn't anything
that can be done about this. This is no different than pasting into an
open python session (from a security standpoint).
I can create strings with printf where I can "exploit" in the same way
emacs, gnu screen, and possibly many others. This isn't a
vulnerability, it is a side effect of a scripting environment.
I may be wrong, but this is what I understood the discussed problem is
about.
Cheers,
--
Mike Grochmal
GPG key ID 0xC840C4F6
/"\ ASCII Ribbon Campaign
\ / - against HTML emails
X - against proprietary attachments
/ \ http://en.wikipedia.org/wiki/ASCII_Ribbon_Campaign
--
--
You received this message from the "vim_dev" maillist.
Do not top-post! Type your reply below the text you are replying to.
For more information, visit http://www.vim.org/maillist.php
---
You received this message because you are subscribed to the Google Groups
"vim_dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
For more options, visit https://groups.google.com/d/optout.
