* Hanno Böck <ha...@hboeck.de> [171031 06:32]: > I wanted to point out an issue here with vim swap files that make them > a security problem. > > By default vim creates a file with the name .filename.swp in the same > directory while editing. They contain the full content of the edited > file. This usually gets deleted upon exit, but not if vim crashes or > gets killed (e.g. due to a reboot). > > On web servers this can be a severe security risk. One can e.g. scan > for web hosts that have swap files of PHP configuration files and thus > expose settings like database passwords. (e.g. wget > http://example.com/.wp-config.php.swp )
See the 'directory' option. I don't see this as a problem with Vim; Vim gives the user appropriate means to avoid it. The problem is one or both of (1) a web server that serves files that the admin did not intend to serve and (2) the admin's Vim configuration that puts temporary files in a location that the web server serves without appropriate filtering. Both problems are fixable with appropriate configuration. It would be inappropriate for Vim's default to be to assume that having both the file being edited and its swap file in the same directory would be a security issue. The implication is that in most cases, if someone can read the swap file, they can also read the original. This happens to not always be true in the case of a web server that filters the PHP configuration files but not Vim's swap files in the same directory. ...Marvin -- -- You received this message from the "vim_dev" maillist. Do not top-post! Type your reply below the text you are replying to. For more information, visit http://www.vim.org/maillist.php --- You received this message because you are subscribed to the Google Groups "vim_dev" group. To unsubscribe from this group and stop receiving emails from it, send an email to vim_dev+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
