oss-sec mailing list archives

Re: [vim-security] Vim tabpanel modeline escape affects Vim < 9.2.0272


From: Christian Brabandt <cb () 256bit org>
Date: Thu, 2 Apr 2026 19:55:12 +0200


On Do, 02 Apr 2026, David A. Wheeler wrote:

I think it's best to disable this functionality for now.
Perhaps it should be disabled by default until it has a better
self-protection mechanism. The default should only allow specific fields
with specific permitted value ranges, so that attackers can't mess with people.
A 'textwidth' of 5, set without user approval, sounds like a bad idea.
Tabs are pretty much only a few valid values; I doubt "250" is a reasonable one.

If someone really wants the existing modeline behavior, an "insecure modeline" option
would make sense, but I bet most users would not enable it.

It seems the community prefers a whitelist approach however. So this is 
probably what it will be soon.

Thanks,
Christian
-- 
F: Was ist golden und fliegt durch die Luft?
A: Maikäfer mit Goldzahn.


Current thread: