Path: utzoo!utgpu!watmath!clyde!att!osu-cis!tut.cis.ohio-state.edu!mailrus!csd4.milw.wisc.edu!uwmcsd1!marque!uunet!rosevax!ernie.Rosemount.COM!merlyn From: merlyn@ernie.Rosemount.COM (Brian Westley) Newsgroups: comp.unix.wizards Subject: Re: Putting trojan horse fixes where they belong Message-ID: <6923@rosevax.Rosemount.COM> Date: 19 Dec 88 15:27:12 GMT References: <6798@rosevax.Rosemount.COM> <591@auspex.UUCP> <6811@rosevax.Rosemount.COM> <13253@ncoast.UUCP> <6893@rosevax.Rosemount.COM> <731@auspex.UUCP> Sender: news@rosevax.Rosemount.COM Reply-To: merlyn@ernie.Rosemount.COM (Brian Westley) Organization: Rosemount Inc., Burnsville, MN Lines: 48 >>There are many sites that CANNOT put ANYTHING into $HOME/.exrc to turn >> this trojan-horse mechanism off. >Those sites don't support "+set nomodelines" on the command line, >either, so the "fix" to Pnews doesn't help. Yes, I found out about such vi's after I posted my fix. For these, either the files have to be munged to remove trojan horses before giving them to vi, or use rvi. Your "fix" doesn't do anything to fix this, either. >>[some people might USE modelines] >Err, umm, requiring them to change this prevents them from getting >screwed when running *other* utilities; care to track down *every single >utility* that runs "vi" - including the Bourne, C, and Korn shells - and >fix them? No, if people actually USE modelines, they presumably know the danger; telling them they can't use modelines because Pnews is too stupid to not run trojan horses is.. well, stupid. Pnews and Rnmail are much more vunerable since they routinely edit files written by total strangers thousands of miles away. >Furthermore, if Arthur Olson's analysis is correct, the "+set modeline" >gets interpreted after the file's been read and checked for mode lines, >so it doesn't help anyway.... It works on at least some machines. This is why it's a configuration issue, since no single method is both simple and guaranteed to work. (the file munging method will work all the time, but it adds overhead). To reiterate: there are many editors where trojan horses are impossible to turn off (some vi's), or on by default (many vi's, GNU emacs). Given this, Pnews (& Rnmail, etc) has to be fixed. For example, to test vi, the config program should: 1) Try to get vi to run a trojan horse, using .exrc and EXINIT with 'set modeline' or 'set modelines', whichever works. 2) Try to invoke vi with '+set nomodeline[s]' to see if this stops the trojan horse. 3) Use the '+set nomodeline[s]' if it works, otherwise munge the file with e.g. "sed 's/\([ev][xi]\):\([^:]*\):/\1;\2;/g'" 4) The configuror must inform the config file about oddly-named versions of vi, so they can be included in the case statement. It would probably be easiest if this were incorporated into a self contained editor-invoking script, so it could be called by scripts or C programs as needed, and not patched in place. Merlyn LeRoy