Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

contents of main buffer are parsed as recipients #104

Closed
ThomasAH opened this issue Jul 4, 2019 · 2 comments · Fixed by #115
Closed

contents of main buffer are parsed as recipients #104

ThomasAH opened this issue Jul 4, 2019 · 2 comments · Fixed by #115

Comments

@ThomasAH
Copy link
Contributor

ThomasAH commented Jul 4, 2019

As indicated in other issues I had problems with git master, which did not exist in v2.6.1.
I just tested again with 6219a5a and found the following:

  1. vim test.gpg
  2. if the file already existed, use :GPGEditRecipients to open the recipients list
  3. close the recipients list (optionally add or remove recipients)
  4. change the text of the main buffer to just com (or anything else that has multiple matches in your keyring), optionally add additional lines with org, debian (or whatever has multiple matches in your keyring)
  5. save the file

Now for each line of the main buffer that matches multiple keys in your keyring, gnupg.vim asks to select the correct recipient.
(the file does not get encrypted to these recipients though)

@leahneukirchen
Copy link

This still happens on 2.7. Luckily the lines are shell escaped, but this leaks secrets to other users of the system that use ps or top.

leahneukirchen added a commit to void-linux/void-packages that referenced this issue Nov 10, 2020
2.7.0 still has security critical bugs, e.g.
jamessan/vim-gnupg#104

This reverts commit 8604846.
This reverts commit a547f88.
@jamessan
Copy link
Owner

I think I see what's going on. I should have a fixed version out today or tomorrow. I'll ping you on the PR to verify it fixes your uses.

jamessan added a commit that referenced this issue Nov 11, 2020
The BufHidden autocommand will have already called the respective Finish
function.  Clearing the autocommands during BufUnload ensures they don't
inadvertently run when Vim is shutting down.

Closes #104
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging a pull request may close this issue.

3 participants