Re: feedkeys() allowed in sandbox

2007-05-04 Thread Ciaran McCreesh 
On Fri, 4 May 2007 14:20:22 +1000
John Beckett [EMAIL PROTECTED] wrote:
 I mentioned that the first step for point 4 should (IMHO) be
 rejecting any modeline beyond some fairly small maximum size.

Most previous exploits have been exploitable with far below the line
length that is reasonably used by sensible people.

 What I'd really like would be a separate sanity check that
 verifies that the syntax in the modeline is boringly standard
 'set' options for a declared whitelist of things that a modeline
 is allowed to do.

http://www.vim.org/scripts/script.php?script_id=1876

 For example, 100 bytes of malware might be able to erase my
 files, but perhaps it couldn't do something more sophisticated
 like launching a hidden infiltration of my network.

100 bytes is more than enough room to download and execute a file that
contains the real malicious code.

-- 
Ciaran McCreesh



signature.asc
Description: PGP signature

patch 7.0.242 (extra)

2007-05-04 Thread Bram Moolenaar 

Patch 7.0.242 (extra)
Problem:Win32: Using -register in a Vim that does not support OLE causes
a crash.
Solution:   Don't use EMSG() but mch_errmsg().  Check p_go for being NULL.
(partly by Michael Wookey)
Files:  src/gui_w32.c


*** ../vim-7.0.241/src/gui_w32.cTue Aug 29 21:30:15 2006
--- src/gui_w32.c   Fri May  4 22:26:13 2007
***
*** 1140,1147 
  static void
  ole_error(char *arg)
  {
! EMSG2(_(E243: Argument not supported: \-%s\; Use the OLE version.),
!arg);
  }
  #endif
  
--- 1140,1152 
  static void
  ole_error(char *arg)
  {
! char buf[IOSIZE];
! 
! /* Can't use EMSG() here, we have not finished initialisation yet. */
! vim_snprintf(buf, IOSIZE,
!   _(E243: Argument not supported: \-%s\; Use the OLE version.),
!   arg);
! mch_errmsg(buf);
  }
  #endif
  
***
*** 3164,3171 
  
  /*
   * Check button names.  A long one will make the dialog wider.
   */
! vertical = (vim_strchr(p_go, GO_VERTICAL) != NULL);
  if (!vertical)
  {
// Place buttons horizontally if they fit.
--- 3169,3177 
  
  /*
   * Check button names.  A long one will make the dialog wider.
+  * When called early (-register error message) p_go isn't initialized.
   */
! vertical = (p_go != NULL  vim_strchr(p_go, GO_VERTICAL) != NULL);
  if (!vertical)
  {
// Place buttons horizontally if they fit.
*** ../vim-7.0.241/src/version.cThu May  3 22:13:03 2007
--- src/version.c   Thu May  3 22:32:06 2007
***
*** 668,669 
--- 668,671 
  {   /* Add new patch number below this line */
+ /**/
+ 242,
  /**/

-- 
Microsoft is to software what McDonalds is to gourmet cooking

 /// Bram Moolenaar -- [EMAIL PROTECTED] -- http://www.Moolenaar.net   \\\
///sponsor Vim, vote for features -- http://www.Vim.org/sponsor/ \\\
\\\download, build and distribute -- http://www.A-A-P.org///
 \\\help me help AIDS victims -- http://ICCF-Holland.org///

Re: feedkeys() allowed in sandbox

2007-05-04 Thread John Beckett 

Ciaran McCreesh wrote:

100 bytes is more than enough room to download and execute
a file that contains the real malicious code.


I actually agree that it is extremely unlikely that a length
check would make modelines more secure, but I'm being
argumentative because it's irritating to be authoritatively
assured that a length check would have no benefit in the future.

We just don't know whether some future vulnerability (perhaps
using a currently-unknown new feature) might be avoided with a
modeline length check.

John