Hi Bram, Thanks for your explanation!
Appreciate the patches you write a lot. Best regards, Mark Esler On Sat, Jan 21, 2023 at 5:42 AM Bram Moolenaar <[email protected]> wrote: > > > Mark Esler wrote: > > > Could you please let me know if you consider every Vim bug report on > > Huntr.dev a security issue? Should Huntr.dev be assigning a CVE to every > > bug report? > > I cannot say. Most of the reported problems require sourcing a Vim > script. Once the user sources that script, it can do anything, no bug > is required to do something harmful. Theoretically the user could look > at the script to check what it is doing, but in practice we can expect > this doesn't happen. Thus there is always the risk of a trojan horse. > > This is different from when the problem could be triggered by editing a > text file that has been manipulated. There have been cases where a > problem is triggered by a modeline in a text file, that is a much more > serious security issue. I don't recall such a problem being reported on > huntr. > > -- > hundred-and-one symptoms of being an internet addict: > 31. You code your homework in HTML and give your instructor the URL. > > /// Bram Moolenaar -- [email protected] -- http://www.Moolenaar.net \\\ > /// \\\ > \\\ sponsor Vim, vote for features -- http://www.Vim.org/sponsor/ /// > \\\ help me help AIDS victims -- http://ICCF-Holland.org /// -- -- You received this message from the "vim_dev" maillist. Do not top-post! Type your reply below the text you are replying to. For more information, visit http://www.vim.org/maillist.php --- You received this message because you are subscribed to the Google Groups "vim_dev" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/vim_dev/CAJ%3DHsV%2BC-hiPfZoUGy9%2B4e72KKHJ_ZB3x48azUn8L63m2U6tLQ%40mail.gmail.com.
