Saturday, January 2, 2016

Re: (inconsistent?) behavior of environment variables

On Sat, Jan 2, 2016 at 4:53 PM, Tim Chase <vim@tim.thechases.com> wrote:
> On 2016-01-02 16:06, Bram Moolenaar wrote:
>> I believe $UID is a shell variable (bash only?) which is not
>> exported. Thus Vim doesn't get it. When using expand() the shell
>> is used to expand the variable, thus then you do get it.
>
> Okay, that makes sense...though does that then make expand() a
> potential vector for shell exploits if it's being called with an
> untrusted string?
>
> -tim

Hm, hard to think of how. If you type
echo "get my $FOO at the $BAR please", or echo for any other
untrusted double-quoted string, at the shell prompt, could it cause an
exploit?

Best regards,
Tony.

--
--
You received this message from the "vim_use" maillist.
Do not top-post! Type your reply below the text you are replying to.
For more information, visit http://www.vim.org/maillist.php

---
You received this message because you are subscribed to the Google Groups "vim_use" group.
To unsubscribe from this group and stop receiving emails from it, send an email to vim_use+unsubscribe@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

No comments:

Post a Comment