Bram Moolenaar wrote:
Perhaps modelines should only allow a VERY limited set
of operations by default (even more restricted than now).
Sure, simply use ":set nomodeline".
I'm suggesting "defence in depth". My vimrc might have
':set nomodeline', but what if I make a mistake? What if I'm
using some other machine where I'm not sure what's in vimrc?
What if I use the -u option? And there are probably other
scenarios where a simple oversight could cause me to execute
a modeline in an untrusted file.
What if I want modelines (but never to do more than set a few
options like tabs).
Even setting 'textwidth' to 2 may already be considered
harmful, or at least annoying.
I don't mind being occasionally irritated with a stupid
modeline. But I really don't want an editor to execute code
when I open a file. Change volatile settings - no problem.
Execute - no thanks.
Perhaps we can add yet-another-option to completely disable
setting some options from the modeline.
Modelines should default to be safe (safe by design, AND safe
because of defence in depth). If another option were added, it
should be to allow expressions or other features that are
potentially unsafe (not disallow unsafe features).
"Potentially unsafe" means we're pretty sure it IS safe, but
(for example), it's simply not worthwhile allowing a modeline
longer than 100 bytes because if another vulnerability were
ever found, we don't want to make it easy for the attacker.
It's better to make sure the sandbox works as it should.
Of course, but bitter experience shows that defence in depth is
the best strategy. Vim has a lot of very clever features that
are too complex to ever be secure, when executing a modeline
from an untrusted source.
John
