Xref: utzoo alt.security:1591 alt.bbs:2988 comp.unix.sysv386:555
Path: utzoo!utgpu!cs.utexas.edu!swrinde!zaphod.mps.ohio-state.edu!rpi!uupsi!cmcl2!kramden.acf.nyu.edu!brnstnd
From: brnstnd@kramden.acf.nyu.edu (Dan Bernstein)
Newsgroups: alt.security,alt.bbs,comp.unix.sysv386
Subject: Here's how to stop shell escapes from vi
Message-ID: <11285:Sep2022:15:2090@kramden.acf.nyu.edu>
Date: 20 Sep 90 22:15:20 GMT
References: <2441@sud509.ed.ray.com> <1990Sep18.120450.14590@nstar.uucp> <1990Sep20.153105.28394@naitc.naitc.com>
Organization: IR
Lines: 23
X-Original-Subject: Protecting against downloads

In article <1990Sep20.153105.28394@naitc.naitc.com> karl@bbs.naitc.com (Karl Denninger) writes:
> Without source code to "vi" there is NO WAY to prevent this.  Believe me.  

How fatalistic.

It's easy to prevent shell escapes from vi. All you have to do is make
sure that the : and ! characters aren't accessible from command mode.
This takes one command:

  % pty -0 tr \:\! \?\? | pty vi

Of course, you should have keyboard signal characters turned off. And
you need to pick up a copy of pty, which hasn't yet been ported to
System V. Under BSD, though, you don't need to do any coding work.

A more polite solution is to convert : into <esc>a:, and convert ! into
<esc>a!. In any case you should provide macros to exercise a limited
subset of the functions of : and !---to let the user :set nu or nonu,
for example.

Can we stop discussing this problem now? It's solved.

---Dan