After 3 years, I closed out bug 178480 by keywording app-vim/securemodelines on mips. In the report, Mike Kelley (now retired) put forth this plan: """ I intend to completely disable vim's builtin modeline support and have (g)vim RDEPEND on securemodelines unless USE="insecure-modelines". Note that this script will still function properly even if vim's own modeline support hasn't been completely disabled. For a few good test cases, try: # for modelines like: vim:tw=78:ts=8:ft=help $ vim /usr/share/vim/vimfiles/doc/gentoo-syntax.txt :set tw? ts? ft? textwidth=78 tabstop=8 filetype=help # for modelines like: vim: set sw=4 sts=4 et ft=vim : $ vim /usr/share/vim/vimfiles/plugin/securemodelines.vim :set sw? sts? et? ft? shiftwidth=4 softtabstop=4 expandtab filetype=vim Thanks! """ So it's not lost, I'm opening this bug report. CC'ing Ciaran as he's the author of securemodelines and also commented in the previously mentioned bug report about the idea.
Is there any reason this hasn't gone upstream? I security fix like this feels like it's more suited to be part of vim by default. But until then, I can see the value of having it in our RDEPEND via USE flag, sure.
Bram considers the built-in modeline support to be sufficiently secure. It's his opinion that being able to screw up the user's terminal, allocate lots and lots of RAM and make Vim unusable aren't security holes. Thus, Vim's modelines allow you to set any option that hasn't been proven to allow arbitrary code execution.
@Ciaran: Upstream said no; understood. So the next step, I suppose, would be to stabilize app-vim/securemodelines so I can RDEPEND from all current [g]vim versions. But before I do that, I think there are a couple minor issues to resolve: -> The ebuild and the script header both say that documentation is available at http://ciaranm.org/tag/securemodelines which does not seem to exist. Is there an updated location for the documentation? Or any chance someone could do up an actual vimhelp page for this plugin? -> I noticed that there's no way to disable securemodelines at all. If you have the plugin installed, it always runs. Having a disable variable may be nice. Also since the script is already checking 'modelines' and disabling it, perhaps it could also key off the presence of this setting to detect the user's intent, something like this: if (! exists("g:secure_modelines_enable")) if &modeline let g:secure_modelines_enable = 1 else let g:secure_modelines_enable = 0 endif endif Thus if the user already has 'modelines' enabled the default is to use secure modelines. If the user has neither 'modelines' nor 'g:secure_modelines_enable' on, the script should do nothing. Thoughts?
Ciaran?
The homepage is now https://github.com/ciaranm/securemodelines . I'd happily take a git format-patch doing what you suggest for disabling things.
vim@?