Re: Potential Bash Script Vulnerability

[Kerin Millar]

On Tue, 9 Apr 2024 10:42:58 +1200
Martin D Kealey <martin@kurahaupo.gen.nz> wrote:

> On Mon, 8 Apr 2024 at 01:49, Kerin Millar <kfm@plushkava.net> wrote:
> 
> > the method by which vim amends files is similar to that of sed -i.
> >
> 
> I was about to write "nonsense, vim **never** does that for me", but then I
> remembered that using ":w!" instead of ":w" (or ":wq!" instead of ":wq")
> will write the file as normal, but if that fails, it will attempt to remove
> it and create a new one. Ironically, that's precisely one of the cases
> where using "sed -i" is a bad idea, but at least with vim you've already
> tried ":w" and noticed that it failed, and made a considered decision to
> use ":w!" instead.
> 
> Except that nowadays many folk always type ":wq!" to exit vim, and never
> put any thought into this undesirable side effect.
> 
> I put that in the same bucket as using "kill -9" to terminate daemons, or
> liberally using "-f" or "--force" in lots of other places. Those  are bad
> habits, since they override useful safety checks, and I recommend making a
> strenuous effort to unlearn such patterns. Then you can use these stronger
> versions only when (1) the soft versions fail, and (2) you understand the
> collateral damage, and (3) you've thought about it and decided that it's
> acceptable in the particular circumstances.
> 
> -Martin
> 
> PS: I've never understood the preference for ":wq" over "ZZ" (or ":x"); I
> want to leave the modification time unchanged if I don't edit the file.

Alright. In that case, I don't know why I wasn't able to 'inject' a replacement 
command with it. I'll give it another try and see whether I can determine what 
happened.

-- 
Kerin Millar