2017-01-19 21:57 GMT+03:00 Michal Grochmal <[email protected]>: > Hi guys, > > I went through the list of emails about this topic and am a little > confused why it is being such a fuss. Apologies in advance if i'm > talking out of my ass but, at least according to my understanding, there > is no way for Vim to be immune to content pasted into it. > > Vim is as much a scripting environment as is perl or python (you can > even execute python with a clever paste). > >> >>> Yeah - worse - its the recommended way because "shell code on websites" >> >>> could have <span hidden>...</span> code. Thus pasting into an editor >> >>> before running usually is the way to go. If that action is exploitable >> >>> it should be fixed in some way - and the :r!cat way is worth testing as >> >>> well to be sure. > > Assuming <span hidden> you could add almost any control characters to > the paste, and, given that you can paste either <esc> or the mentioned > <c-V> (Ctrl+Shift+v) you're already in trouble. > > If you can paste <esc> into Vim, and am pretty sure I can do that since > the clipboard is a byte buffer you can execute anything. For example, > on my machine I do > > printf "%s" '^[:!echo vulnerable > ~/vulnerable^M' | > xclip -selection clipboard > > xclip -selection clipboard is a good simulation of typing <C-c> in a > browser since they perform exactly the same, they place the bytes in the > same Xorg clipboard. > > Now I use the rxvt/xterm default <c-V> (Ctrl+Shift+v) whilst Vim is in > INSERT mode and I get a file created in my home directory. > > Note: I used terminal escapes to build ^[ (0x1b) and ^M (0xc). > > ------ > > This is common to all scripting environments and there isn't anything > that can be done about this. This is no different than pasting into an > open python session (from a security standpoint). > > I can create strings with printf where I can "exploit" in the same way > emacs, gnu screen, and possibly many others. This isn't a > vulnerability, it is a side effect of a scripting environment. > > I may be wrong, but this is what I understood the discussed problem is > about.
I think that handling this problem is the primary goal of terminal’s bracketed paste mode. E.g. zsh should not be affected. > > Cheers, > -- > Mike Grochmal > GPG key ID 0xC840C4F6 > /"\ ASCII Ribbon Campaign > \ / - against HTML emails > X - against proprietary attachments > / \ http://en.wikipedia.org/wiki/ASCII_Ribbon_Campaign > > -- > -- > You received this message from the "vim_dev" maillist. > Do not top-post! Type your reply below the text you are replying to. > For more information, visit http://www.vim.org/maillist.php > > --- > You received this message because you are subscribed to the Google Groups > "vim_dev" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > For more options, visit https://groups.google.com/d/optout. -- -- You received this message from the "vim_dev" maillist. Do not top-post! Type your reply below the text you are replying to. For more information, visit http://www.vim.org/maillist.php --- You received this message because you are subscribed to the Google Groups "vim_dev" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
