Hallo, I have tested ruby code completion in vim and found that it is quite insecure.
Lets have file 'a.rb':
system('echo vim je pako > /tmp/pako')
class MyTest
def test
return 1
end
end
And then some file we edit e.g. 'b.rb':
require 'a'
t = MyTest.new
t.t
Now put cursor at the and of last line or b.rb and press CTRL-X-O
(code completion), vim will correctly complete "test".
But as side effect file "/tmp/pako" with content "vim je pako" will be
created...
This can clearly be misused by an attacker or can cause harm
accidently. People don't expect program to be run when editing it..
If code completion is done by code evaluation and introspection, safe
level should be set to prevent dangerous operations. E.g. $SAFE=4
May be user could have an option to set lower safe mode, but the
implicit configuration should be safe.
Thanks for the great work you do on vim.
Regards,
--
Mgr. Martin Povolný, soLNet, s.r.o.
Technická podpora <[EMAIL PROTECTED]>
telefon: +420/549131233, +420/737743587
signature.asc
Description: OpenPGP digital signature
