Relay-Version: version B 2.10 5/3/83; site utzoo.UUCP Posting-Version: version B 2.10 5/3/83; site utecfa.UUCP Path: utzoo!utcsrgv!utai!uthub!utecfa!phil From: phil@utecfa.UUCP (Philip Poulos) Newsgroups: net.unix-wizards,net.bugs Subject: MAJOR BUG Message-ID: <137@utecfa.UUCP> Date: Mon, 16-Apr-84 15:11:26 EST Article-I.D.: utecfa.137 Posted: Mon Apr 16 15:11:26 1984 Date-Received: Mon, 16-Apr-84 20:20:35 EST Organization: Engineering, University of Toronto Lines: 44 Now that I know we are not the only ones to have this "feature" of ex/vi I should point out the obvious problems. BUG: Any vi command will be executed as soon as you run ex/vi on a file that contains a string that matches the following conditions - the string starts with "vi:" or "ex:" - the string ends with ":" - the string appears in the first 5 or last 5 lines of the file EXAMPLE: As seen in my original mail the string vi:q!: results in quitting the editor, before you even get in. vi:!rm *: Will remove all your files while you are waiting for the vi prompt. There are, of course, better examples... picture the super user editting a source file from the net that has vi:!rm -rf /: hidden in the file, or perhaps vi:!kill 1: The list is endless. I found this by accident (what else is in vi?) We have a login name in the password file that ends with "vi", so the string "vi:encryptedstuff:" caused ex to burp mildly. Further investigation led to the discovery of the bug. So everybody that has this ex/vi version (4.2 bsd, maybe others) you better fix it fast. Otherwise you leave yourself open to an attack of KILLER MAIL. FIX: in ex/ex_io.c 2 pieces of code should be removed. 1: remove the routine checkmodeline(), it starts at line ~850 2: In rop2() remove the call to checkmodeline() the entire for loop should go, it looks like for(a=first; a<=lost; a++) { if(a == first+5 && last-first >10) a = last - 4; getline(*a); checkmodeline(linebuf); } Phil (I'll try vi next year) Poulos