davy@ecn-ee.UUCP (04/27/84)
#N:ecn-ee:13000017:000:2370 ecn-ee!davy Apr 26 18:22:00 1984 Sigh. Along with the modelines misfeature in vi, here's another one. Along with sourcing ~/.exrc, vi/ex also source ./.exrc, whether you own it or not. This leaves you open to the same trojan horse problem that modelines do; namely, someone puts ":!rm -rf ~/*" or something into a local .exrc and waits for you to run "vi" or "view" or "ex" or whatever. Blammo. The diffs below show the changes needed to permit ex/vi to source only those .exrc files owned by the person invoking the editor. *** /tmp/,RCSt1004640 Wed Apr 25 10:16:47 1984 --- ex.c Wed Apr 25 09:13:47 1984 *************** *** 75,80 #ifndef VMUNIX char *erpath = EXSTRINGS; #endif register char *cp; register int c; bool recov = 0; --- 75,81 ----- #ifndef VMUNIX char *erpath = EXSTRINGS; #endif + struct stat stbuf; register char *cp; register int c; bool recov = 0; *************** *** 307,314 commands(1,1); else { globp = 0; ! if ((cp = getenv("HOME")) != 0 && *cp) ! source(strcat(strcpy(genbuf, cp), "/.exrc"), 1); } /* * Allow local .exrc too. This loses if . is $HOME, --- 308,325 ----- commands(1,1); else { globp = 0; ! ! /* ! * BUGFIX: only source .exrc if you own ! * it. This eliminates trojan horses. ! * --Dave Curry, 4/25/84 ! */ ! if ((cp = getenv("HOME")) != 0 && *cp) { ! strcpy(genbuf, cp); ! strcat(genbuf, "/.exrc"); ! if ((stat(genbuf, &stbuf) >= 0) && (stbuf.st_uid == getuid())) ! source(genbuf, 1); ! } } /* * Allow local .exrc too. This loses if . is $HOME, *************** *** 316,322 * like putting a version command in .exrc. Besides, * they should be using EXINIT, not .exrc, right? */ ! source(".exrc", 1); } init(); /* moved after prev 2 chunks to fix directory option */ --- 327,339 ----- * like putting a version command in .exrc. Besides, * they should be using EXINIT, not .exrc, right? */ ! /* ! * BUGFIX: only source .exrc if you own ! * it. This eliminates trojan horses. ! * --Dave Curry, 4/25/84 ! */ ! if ((stat(".exrc", &stbuf) >= 0) && (stbuf.st_uid == getuid())) ! source(".exrc", 1); } init(); /* moved after prev 2 chunks to fix directory option */ --------------------------- --Dave Curry decvax!pur-ee!davy eevax.davy@purdue