I use vim for my text editor (I have
export VISUAL="/usr/bin/vim" in my ~/.bashrc). Yesterday I used the wallet script to update my password list, and then later I was using vim to edit a totally unrelated text file. I fat-fingered what I was doing and typed some magical set of keystrokes (still not sure just how I did that), and suddenly I was looking at several lines from my password file. I recognized those lines as lines that I had highlighted, deleted, and then pasted to a new location when editing the password file when I was using wallet. I then had a forehead-slapping moment when I realized that such edits are saved for posterity in the ~/.viminfo file.Oops. That's a potential information leakage vulnerability.
But it is easily remedied by adding the following line to ~/.walletrc:
VISUAL="/usr/bin/vim -i NONE"
The -i option tells vim to use some file other than ~/.viminfo for its state information. In this case, it tells vim not to store state information at all. The trick of putting it in ~/.walletrc (rather than in ~/.bashrc) means that vim only skips storing state information when running wallet--vim will keep state information in ~.viminfo any other time you run vim.
So if you're using wallet with vim, I urge you to make the above change to your ~/.walletrc file.
No comments:
Post a Comment