oss-sec mailing list archives
Re: [vim-security] Vim tabpanel modeline escape affects Vim < 9.2.0272
From: "David A. Wheeler" <dwheeler () dwheeler com>
Date: Tue, 31 Mar 2026 13:17:04 -0400
On Mar 31, 2026, at 11:57 AM, Christian Brabandt <cb () 256bit org> wrote: On Mo, 30 Mär 2026, Demi Marie Obenour wrote:Should `modeline` be disabled by default in future releases? It's a huge attack surface.Indeed, it is probably time to disable this by default: https://github.com/vim/vim/pull/19875
I agree. The defaults should be safe. Until that's fixed, vim users should edit ~/.vimrc to add: set noshowmode That won't help the many who use the defaults, but it's a start. --- David A. Wheeler
Current thread:
- [vim-security] Vim tabpanel modeline escape affects Vim < 9.2.0272 Christian Brabandt (Mar 30)
- Re: [vim-security] Vim tabpanel modeline escape affects Vim < 9.2.0272 Demi Marie Obenour (Mar 30)
- Re: [vim-security] Vim tabpanel modeline escape affects Vim < 9.2.0272 Christian Brabandt (Mar 31)
- Re: [vim-security] Vim tabpanel modeline escape affects Vim < 9.2.0272 David A. Wheeler (Mar 31)
- Re: [vim-security] Vim tabpanel modeline escape affects Vim < 9.2.0272 Tianyu Chen (Mar 31)
- Re: [vim-security] Vim tabpanel modeline escape affects Vim < 9.2.0272 Christian Brabandt (Mar 31)
- Re: [vim-security] Vim tabpanel modeline escape affects Vim < 9.2.0272 Demi Marie Obenour (Mar 30)