Summary: | Replace vim's builtin modeline support with app-vim/securemodelines | ||
---|---|---|---|
Product: | Gentoo Linux | Reporter: | Matt Turner <mattst88> |
Component: | New packages | Assignee: | Vim Maintainers <vim> |
Status: | RESOLVED WONTFIX | ||
Severity: | normal | CC: | ciaran.mccreesh |
Priority: | High | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
See Also: | https://bugs.gentoo.org/show_bug.cgi?id=687394 | ||
Whiteboard: | |||
Package list: | Runtime testing required: | --- |
Description
Matt Turner
2010-12-05 20:34:47 UTC
Is there any reason this hasn't gone upstream? I security fix like this feels like it's more suited to be part of vim by default. But until then, I can see the value of having it in our RDEPEND via USE flag, sure. Bram considers the built-in modeline support to be sufficiently secure. It's his opinion that being able to screw up the user's terminal, allocate lots and lots of RAM and make Vim unusable aren't security holes. Thus, Vim's modelines allow you to set any option that hasn't been proven to allow arbitrary code execution. @Ciaran: Upstream said no; understood. So the next step, I suppose, would be to stabilize app-vim/securemodelines so I can RDEPEND from all current [g]vim versions. But before I do that, I think there are a couple minor issues to resolve: -> The ebuild and the script header both say that documentation is available at http://ciaranm.org/tag/securemodelines which does not seem to exist. Is there an updated location for the documentation? Or any chance someone could do up an actual vimhelp page for this plugin? -> I noticed that there's no way to disable securemodelines at all. If you have the plugin installed, it always runs. Having a disable variable may be nice. Also since the script is already checking 'modelines' and disabling it, perhaps it could also key off the presence of this setting to detect the user's intent, something like this: if (! exists("g:secure_modelines_enable")) if &modeline let g:secure_modelines_enable = 1 else let g:secure_modelines_enable = 0 endif endif Thus if the user already has 'modelines' enabled the default is to use secure modelines. If the user has neither 'modelines' nor 'g:secure_modelines_enable' on, the script should do nothing. Thoughts? Ciaran? The homepage is now https://github.com/ciaranm/securemodelines . I'd happily take a git format-patch doing what you suggest for disabling things. vim@? |