Hi, Ben!
Thanks for pointing this out.
On Wed, Aug 20, 2008 at 4:38 AM, Ben Schmidt
<[EMAIL PROTECTED]> wrote:
> the shell. It should be checked that the keyword is properly shell-escaped,
> too. I
> can't quickly think of a way to easily exploit this one, so I don't think
> it's a
> security risk, but it's definitely a bug.
This is very much a security bug. One that allows arbitrary shell
commands execution.
Your usage is a very good example, because one in general doesn't
control the URL of the object one wants to access. According to my
reading of RFC 3986, valid URI characters, on top of letters and
numbers, are:
:,[EMAIL PROTECTED]&'()*+;=._~/%
Opening the following URL using the K command will launch the
xclock(1x) program:
http://www.google.co.uk/search?q=&xclock&;
But, of course, it's much worse: Since the URL is inside a buffer, we
can assume the whole of the buffer can be controlled by the attacker.
They can use a modeline to set 'iskeyword' to contain any characters
needed for a particular shell command:
/* We use an obscure glibc function -- check out the man page! */
clockface = (xclock&)pwnme(a, b, x + y);
[...]
/* vim:iskeyword:a-z,&,),(: */
Cheers,
Jan.
--~--~---------~--~----~------------~-------~--~----~
You received this message from the "vim_dev" maillist.
For more information, visit http://www.vim.org/maillist.php
-~----------~----~----~----~------~----~------~--~---
