MAJOR BUG

Philip Poulos phil at utecfa.UUCP
Tue Apr 17 06:11:26 AEST 1984


Now that I know we are not the only ones to have this "feature" of ex/vi
I should point out the obvious problems.

BUG: Any vi command will be executed as soon as you run ex/vi on a file
     that contains a string that matches the following conditions
     - the string starts with "vi:" or "ex:"
     - the string ends with ":"
     - the string appears in the first 5 or last 5 lines of the file

EXAMPLE: As seen in my original mail the string  vi:q!: results in quitting
         the editor, before you even get in.

         vi:!rm *: Will remove all your files while you are waiting for the
         vi prompt.

         There are, of course, better examples... picture the super user
         editting a source file from the net that has vi:!rm -rf /: hidden
         in the file, or perhaps vi:!kill 1: The list is endless.

	I found this by accident (what else is in vi?)
	 We have a login name in the password file
        that ends with "vi", so the string "vi:encryptedstuff:" caused ex to
        burp mildly. Further investigation led to the discovery of the bug.

So everybody that has this ex/vi version (4.2 bsd, maybe others) you better
fix it fast. Otherwise you leave yourself open to an attack of KILLER MAIL.

FIX:
	in ex/ex_io.c 2 pieces of code should be removed.

	1:	remove the routine checkmodeline(), it starts at line ~850

	2:	In rop2() remove the call to checkmodeline()
		the entire for loop should go, it looks like

				for(a=first; a<=lost; a++) {
					if(a == first+5 && last-first >10)
						a = last - 4;
					getline(*a);
					checkmodeline(linebuf);
				}


				Phil (I'll try vi next year) Poulos



More information about the Comp.unix.wizards mailing list