Bram,
There was a problem about pasting special terminal chars reported at
http://seclists.org/oss-sec/2018/q1/213

Initially I thought that bracketed-paste mode will prevent such things, 
but it seems this still works. Is there anything Vim can do to prevent 
such things (at least when pasting in bracketed paste mode)?

Here is a copy of the beginning of the message (until the Vim poc):

---- http://seclists.org/oss-sec/2018/q1/213 ----
Hello,

When pasting characters into several terminal emulators, control
characters are allowed. This turns to be a security problem, due to the
fact that when pasting these characters into terminal text editors, such
as vi/vim, emacs, nano, etc., remote code execution is possible.

This is supposed to be fixed in recent versions of VTE [3], which means
VTE-based terminal emulators should be safe, but the problem is that
most distros are shipping older versions and remain vulnerable.

Here's a list of terminal emulators I tested this where it worked. Some
came by default in my distro (debian), others were installed via
apt-get. This should also work on other distros:


LXTerminal
rxvt
urxvt
putty
gnome-terminal
Konsole
Guake
Yakuake
tilda
Terminator
xfce4-terminal
Terminology
ROXTerm
sakura
lilyterm
Eterm
aterm
mrxvt
pterm


Please, update VTE and check if the below still works. For the others
that aren't based on VTE, CVEs should be assigned to each of them. Can
someone help me figure out which ones are based on VTE and those that
aren't?

To reproduce using vi/vim, create an html with the following command:

$ printf '<html>something;&#27;:!id<br>a</html>' > poc.html

Open the poc.html in a browser, select and copy the text that is
presented, and paste it into vi/vim in insert mode. The command "id"
should then be executed.


This works because pasting "&#27;" is allowed, wich is the "escape". By
pressing "escape" in insert mode, it is possible to go back to default
mode, and by using the exclamation mark (!) it is possible to execute
arbitrary commands.

[...]
----------------------------


Best,
Christian

-- 
-- 
You received this message from the "vim_dev" maillist.
Do not top-post! Type your reply below the text you are replying to.
For more information, visit http://www.vim.org/maillist.php

--- 
You received this message because you are subscribed to the Google Groups 
"vim_dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to vim_dev+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Raspunde prin e-mail lui