Hallo, I have tested ruby code completion in vim and found that it is quite insecure.
Lets have file 'a.rb': system('echo vim je pako > /tmp/pako') class MyTest def test return 1 end end And then some file we edit e.g. 'b.rb': require 'a' t = MyTest.new t.t Now put cursor at the and of last line or b.rb and press CTRL-X-O (code completion), vim will correctly complete "test". But as side effect file "/tmp/pako" with content "vim je pako" will be created... This can clearly be misused by an attacker or can cause harm accidently. People don't expect program to be run when editing it.. If code completion is done by code evaluation and introspection, safe level should be set to prevent dangerous operations. E.g. $SAFE=4 May be user could have an option to set lower safe mode, but the implicit configuration should be safe. Thanks for the great work you do on vim. Regards, -- Mgr. Martin Povolný, soLNet, s.r.o. Technická podpora <[EMAIL PROTECTED]> telefon: +420/549131233, +420/737743587
signature.asc
Description: OpenPGP digital signature