| ▲ | lloeki 8 hours ago | |
> The first one seems to indeed be a real RCE in vim. Barely, since there is little restriction as to what options modelines can set they should be largely considered equivalent to eval (if unintentionally). And generally they are which is why distros typically disable them by default. IMHO in this day and age securemodelines should just be the default. | ||
| ▲ | i_cannot_hack 7 hours ago | parent [-] | |
I don't know much about vim, but from the report it sounds like part of the issue was that disabling modelines would not prevent it: > tabpanel is missing P_MLE Unlike statusline and tabline, tabpanel is not marked with the P_MLE flag. This allows a modeline to inject %{...} expressions even when modelineexpr is disabled. Edit: Upon re-reading the above I guess disabling modelineexpr is not the same as disabling modelines, and disabling modelines altogether might indeed prevent the issue. | ||