Christian Brabandt wrote:

> Bram,
> There was a problem about pasting special terminal chars reported at
> http://seclists.org/oss-sec/2018/q1/213
> 
> Initially I thought that bracketed-paste mode will prevent such things, 
> but it seems this still works. Is there anything Vim can do to prevent 
> such things (at least when pasting in bracketed paste mode)?
> 
> Here is a copy of the beginning of the message (until the Vim poc):
> 
> ---- http://seclists.org/oss-sec/2018/q1/213 ----
> Hello,
> 
> When pasting characters into several terminal emulators, control
> characters are allowed. This turns to be a security problem, due to the
> fact that when pasting these characters into terminal text editors, such
> as vi/vim, emacs, nano, etc., remote code execution is possible.
> 
> This is supposed to be fixed in recent versions of VTE [3], which means
> VTE-based terminal emulators should be safe, but the problem is that
> most distros are shipping older versions and remain vulnerable.
> 
> Here's a list of terminal emulators I tested this where it worked. Some
> came by default in my distro (debian), others were installed via
> apt-get. This should also work on other distros:
> 
> 
> LXTerminal
> rxvt
> urxvt
> putty
> gnome-terminal
> Konsole
> Guake
> Yakuake
> tilda
> Terminator
> xfce4-terminal
> Terminology
> ROXTerm
> sakura
> lilyterm
> Eterm
> aterm
> mrxvt
> pterm
> 
> 
> Please, update VTE and check if the below still works. For the others
> that aren't based on VTE, CVEs should be assigned to each of them. Can
> someone help me figure out which ones are based on VTE and those that
> aren't?
> 
> To reproduce using vi/vim, create an html with the following command:
> 
> $ printf '<html>something;&#27;:!id<br>a</html>' > poc.html
> 
> Open the poc.html in a browser, select and copy the text that is
> presented, and paste it into vi/vim in insert mode. The command "id"
> should then be executed.
> 
> 
> This works because pasting "&#27;" is allowed, wich is the "escape". By
> pressing "escape" in insert mode, it is possible to go back to default
> mode, and by using the exclamation mark (!) it is possible to execute
> arbitrary commands.
> 
> [...]
> ----------------------------

I cannot reproduce this in xterm or gnome-terminal.  Using Chrome as the
browser.  With normal paste the Esc is inserted as a character.  When
pasting with Shift pressed the Esc is stripped.

-- 
   A village.  Sound of chanting of Latin canon, punctuated by short, sharp
   cracks.  It comes nearer.  We see it is a line of MONKS ala SEVENTH SEAL
   flagellation scene, chanting and banging themselves on the foreheads with
   wooden boards.
                 "Monty Python and the Holy Grail" PYTHON (MONTY) PICTURES LTD

 /// Bram Moolenaar -- b...@moolenaar.net -- http://www.Moolenaar.net   \\\
///        sponsor Vim, vote for features -- http://www.Vim.org/sponsor/ \\\
\\\  an exciting new programming language -- http://www.Zimbu.org        ///
 \\\            help me help AIDS victims -- http://ICCF-Holland.org    ///

-- 
-- 
You received this message from the "vim_dev" maillist.
Do not top-post! Type your reply below the text you are replying to.
For more information, visit http://www.vim.org/maillist.php

--- 
You received this message because you are subscribed to the Google Groups 
"vim_dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to vim_dev+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Raspunde prin e-mail lui