Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 347835 - Replace vim's builtin modeline support with app-vim/securemodelines
Summary: Replace vim's builtin modeline support with app-vim/securemodelines
Status: RESOLVED WONTFIX
Alias: None
Product: Gentoo Linux
Classification: Unclassified
Component: New packages (show other bugs)
Hardware: All Linux
: High normal
Assignee: Vim Maintainers
URL:
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2010-12-05 20:34 UTC by Matt Turner
Modified: 2022-02-19 01:12 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Matt Turner gentoo-dev 2010-12-05 20:34:47 UTC
After 3 years, I closed out bug 178480 by keywording app-vim/securemodelines on mips.

In the report, Mike Kelley (now retired) put forth this plan:

"""
I intend to completely disable
vim's builtin modeline support and have (g)vim RDEPEND on securemodelines
unless USE="insecure-modelines".

Note that this script will still function properly even if vim's own modeline
support hasn't been completely disabled.

For a few good test cases, try:

# for modelines like: vim:tw=78:ts=8:ft=help
$ vim /usr/share/vim/vimfiles/doc/gentoo-syntax.txt
:set tw? ts? ft?
  textwidth=78
  tabstop=8
  filetype=help

# for modelines like: vim: set sw=4 sts=4 et ft=vim :
$ vim /usr/share/vim/vimfiles/plugin/securemodelines.vim
:set sw? sts? et? ft?
  shiftwidth=4
  softtabstop=4
  expandtab
  filetype=vim

Thanks!
"""

So it's not lost, I'm opening this bug report.

CC'ing Ciaran as he's the author of securemodelines and also commented in the previously mentioned bug report about the idea.
Comment 1 Jim Ramsay (lack) (RETIRED) gentoo-dev 2011-01-04 14:15:48 UTC
Is there any reason this hasn't gone upstream?  I security fix like this feels like it's more suited to be part of vim by default.

But until then, I can see the value of having it in our RDEPEND via USE flag, sure.
Comment 2 Ciaran McCreesh 2011-01-04 14:30:18 UTC
Bram considers the built-in modeline support to be sufficiently secure. It's his opinion that being able to screw up the user's terminal, allocate lots and lots of RAM and make Vim unusable aren't security holes. Thus, Vim's modelines allow you to set any option that hasn't been proven to allow arbitrary code execution.
Comment 3 Jim Ramsay (lack) (RETIRED) gentoo-dev 2011-01-04 15:08:15 UTC
@Ciaran: Upstream said no; understood.

So the next step, I suppose, would be to stabilize app-vim/securemodelines so I can RDEPEND from all current [g]vim versions.

But before I do that, I think there are a couple minor issues to resolve:

-> The ebuild and the script header both say that documentation is available at http://ciaranm.org/tag/securemodelines which does not seem to exist.  Is there an updated location for the documentation?  Or any chance someone could do up an actual vimhelp page for this plugin?

-> I noticed that there's no way to disable securemodelines at all.  If you have the plugin installed, it always runs.  Having a disable variable may be nice.  Also since the script is already checking 'modelines' and disabling it, perhaps it could also key off the presence of this setting to detect the user's intent, something like this:

  if (! exists("g:secure_modelines_enable"))
    if &modeline
      let g:secure_modelines_enable = 1
    else
      let g:secure_modelines_enable = 0
    endif
  endif

Thus if the user already has 'modelines' enabled the default is to use secure modelines.  If the user has neither 'modelines' nor 'g:secure_modelines_enable' on, the script should do nothing.  Thoughts?
Comment 4 Matt Turner gentoo-dev 2011-06-06 05:26:10 UTC
Ciaran?
Comment 5 Ciaran McCreesh 2011-06-06 08:06:21 UTC
The homepage is now https://github.com/ciaranm/securemodelines .

I'd happily take a git format-patch doing what you suggest for disabling things.
Comment 6 Matt Turner gentoo-dev 2011-07-31 00:07:20 UTC
vim@?