bartman's blog

vim modelines insecure

bartman

I have previously disabled modelines in my vimrc, but had turned them on recently only to learn today that they are subject to another vulnerability.

I’ve seen this before. Enough is enough. :)

Fortunately, this sparked a debate on vim-dev mailing list. One of the outcomes is a vim script that replaces the modeline parser in vim. It is said to be a lot more strict about what it permits as valid modeline components and allows the user to control that in the vimrc.

You can grab the script, put it in your .vim/plugins/ directory and turn off the built-in modelines parser:

    set modelines=0

Optionally you can set this variable to have the new parser show errors in parsing.

    let g:secure_modelines_verbose=1
Tags: