Tomas Golembiovsky wrote:
> today somebody came to #vim, and pasted some modeline (containig joke or
> such). He muttered something about not knowing what that means and left
> before long. But (!) what I noticed is that feedkeys() was used as part of
> foldexpression and it turned out that feedkeys() is allowed in sandbox,
> which means malicious file can run arbitrary command via modeline like
> this:
>
> vim: fdm=expr fde=feedkeys("\\:!touch\ phantom_was_here\\<cr>")
>
> I guess you can see the consequences. Is this known/intentional?
That's pretty nasty. I'll make a patch right away.
--
Far back in the mists of ancient time, in the great and glorious days of the
former Galactic Empire, life was wild, rich and largely tax free.
Mighty starships plied their way between exotic suns, seeking adventure and
reward among the furthest reaches of Galactic space. In those days, spirits
were brave, the stakes were high, men were real men, women were real women
and small furry creatures from Alpha Centauri were real small furry creatures
from Alpha Centauri. And all dared to brave unknown terrors, to do mighty
deeds, to boldly split infinitives that no man had split before -- and thus
was the Empire forged.
-- Douglas Adams, "The Hitchhiker's Guide to the Galaxy"
/// Bram Moolenaar -- [EMAIL PROTECTED] -- http://www.Moolenaar.net \\\
/// sponsor Vim, vote for features -- http://www.Vim.org/sponsor/ \\\
\\\ download, build and distribute -- http://www.A-A-P.org ///
\\\ help me help AIDS victims -- http://ICCF-Holland.org ///
