vim modelines insecure
I have previously disabled modelines
in my vimrc, but had turned them on recently
only to learn today that they are subject to another vulnerability.
I’ve seen this before. Enough is enough. :)
Fortunately, this sparked a debate on vim-dev mailing list. One of the outcomes is a vim script that replaces the modeline parser in vim. It is said to be a lot more strict about what it permits as valid modeline components and allows the user to control that in the vimrc.
You can grab the script, put it in your .vim/plugins/
directory
and turn off the built-in modelines parser:
set modelines=0
Optionally you can set this variable to have the new parser show errors in parsing.
let g:secure_modelines_verbose=1