Xref: utzoo alt.security:1602 comp.unix.sysv386:628
Path: utzoo!utgpu!cs.utexas.edu!uunet!mcsun!unido!mikros!mwtech!martin
From: martin@mwtech.UUCP (Martin Weitzel)
Newsgroups: alt.security,comp.unix.sysv386
Subject: Re: Here's how to stop shell escapes from vi
Message-ID: <924@mwtech.UUCP>
Date: 22 Sep 90 11:07:31 GMT
References: <2441@sud509.ed.ray.com> <1990Sep18.120450.14590@nstar.uucp> <1990Sep20.153105.28394@naitc.naitc.com> <11285:Sep2022:15:2090@kr
Reply-To: martin@mwtech.UUCP (Martin Weitzel)
Organization: MIKROS Systemware, Darmstadt/W-Germany
Lines: 25

In article <11285:Sep2022:15:2090@kramden.acf.nyu.edu> brnstnd@kramden.acf.nyu.edu (Dan Bernstein) writes:
Dan> X-Original-Subject: Protecting against downloads
Dan> In article <1990Sep20.153105.28394@naitc.naitc.com> karl@bbs.naitc.com (Karl Denninger) writes:
> Without source code to "vi" there is NO WAY to prevent this.  Believe me.  

Dan> How fatalistic.

Dan> It's easy to prevent shell escapes from vi. All you have to do is make
Dan> sure that the : and ! characters aren't accessible from command mode.
Dan> This takes one command:

Dan>   % pty -0 tr \:\! \?\? | pty vi

Maybe it's because I don't know exactly what `pty' does or I have missed
a smiley, but
	- I can get an ex-promt from command mode also with "Q" and
	  can type "sh" from there (seems that "Q" should be disabled
	  as well)
	- I can `execute buffers' with the "@" - a less known but very
	  useful feature (seems "@" would have to be disabled as well)
Dan> Can we stop discussing this problem now? It's solved.

Sure? Maybe there occur still some other possibilities.
-- 
Martin Weitzel, email: martin@mwtech.UUCP, voice: 49-(0)6151-6 56 83