According to the help this option aims at providing additional security for files read with 'exrc' option on. But there is a big bunch of ways to bypass the additional security. E.g.:
First of all it is completely useless against attacker pushing something to some repository targets are using: “On Unix this option is only used if the ".vimrc" or ".exrc" is not owned by you.” disables 'secure' setting for all cloned repositories. (Note that help contains sentences that led me to a conclusion that if I have `set secure` in my vimrc it will then apply to files owned by me and sourced by `set exrc`, but it actually does not.) Second it is useless against attacks on specific plugins like netrw: you can easily embed in `g:netrw_http_cmd` shell command that downloads and runs shell. Third as there are not too many plugins vulnerable to such attacks one can define command like `AuV` which is the shortcut I use for `AuVimDiff`: if shorter version is defined it is used in place of the full version, but defined commands are not echoed. Fourth if exrc uses `silent map` then maps are not echoed (though “Press ENTER” prompt is displayed, but without errors and with many plugins it is easy to ignore, especially if it does not repeat). It is easy to then map all commonly used keys to something that runs malicious code and cleans out all tracks. I.e. `set secure` can not be used to run exrc from untrusted source, but it looks like if it should be used to do such a thing. I guess its uselessness is worth mentioning in :h 'secure'. Or all of the above issues should be fixed, but I believe fixing second and third issues will render exrcs nearly useless with `set secure`. -- -- You received this message from the "vim_dev" maillist. Do not top-post! Type your reply below the text you are replying to. For more information, visit http://www.vim.org/maillist.php --- You received this message because you are subscribed to the Google Groups "vim_dev" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/groups/opt_out.
