vi .exrc fix - (nf)

Fri Apr 27 17:25:11 AEST 1984

#N:ecn-ee:13000017:000:2370
ecn-ee!davy    Apr 26 18:22:00 1984

Sigh.  Along with the modelines misfeature in vi, here's another 
one.  Along with sourcing ~/.exrc, vi/ex also source ./.exrc, 
whether you own it or not.  This leaves you open to the same trojan 
horse problem that modelines do; namely, someone puts ":!rm -rf ~/*" 
or something into a local .exrc and waits for you to run "vi" or 
"view" or "ex" or whatever.  Blammo.

The diffs below show the changes needed to permit ex/vi to source 
only those .exrc files owned by the person invoking the editor.

*** /tmp/,RCSt1004640	Wed Apr 25 10:16:47 1984
--- ex.c	Wed Apr 25 09:13:47 1984
***************
*** 75,80
  #ifndef VMUNIX
  	char *erpath = EXSTRINGS;
  #endif
  	register char *cp;
  	register int c;
  	bool recov = 0;

--- 75,81 -----
  #ifndef VMUNIX
  	char *erpath = EXSTRINGS;
  #endif
+ 	struct stat stbuf;
  	register char *cp;
  	register int c;
  	bool recov = 0;
***************
*** 307,314
  			commands(1,1);
  		else {
  			globp = 0;
! 			if ((cp = getenv("HOME")) != 0 && *cp)
! 				source(strcat(strcpy(genbuf, cp), "/.exrc"), 1);
  		}
  		/*
  		 * Allow local .exrc too.  This loses if . is $HOME,

--- 308,325 -----
  			commands(1,1);
  		else {
  			globp = 0;
! 
! 			/*
! 			 * BUGFIX: only source .exrc if you own
! 			 * it.  This eliminates trojan horses.
! 			 * --Dave Curry, 4/25/84
! 			 */
! 			if ((cp = getenv("HOME")) != 0 && *cp) {
! 				strcpy(genbuf, cp);
! 				strcat(genbuf, "/.exrc");
! 				if ((stat(genbuf, &stbuf) >= 0) && (stbuf.st_uid == getuid()))
! 					source(genbuf, 1);
! 			}
  		}
  		/*
  		 * Allow local .exrc too.  This loses if . is $HOME,
***************
*** 316,322
  		 * like putting a version command in .exrc.  Besides,
  		 * they should be using EXINIT, not .exrc, right?
  		 */
! 		source(".exrc", 1);
  	}
  	init();	/* moved after prev 2 chunks to fix directory option */

--- 327,339 -----
  		 * like putting a version command in .exrc.  Besides,
  		 * they should be using EXINIT, not .exrc, right?
  		 */
! 		/*
! 		 * BUGFIX: only source .exrc if you own
! 		 * it.  This eliminates trojan horses.
! 		 * --Dave Curry, 4/25/84
! 		 */
! 		if ((stat(".exrc", &stbuf) >= 0) && (stbuf.st_uid == getuid()))
! 			source(".exrc", 1);
  	}
  	init();	/* moved after prev 2 chunks to fix directory option */

---------------------------

--Dave Curry
decvax!pur-ee!davy
eevax.davy at purdue