Greetings mortals,
today somebody came to #vim, and pasted some modeline (containig joke or
such). He muttered something about not knowing what that means and left
before long. But (!) what I noticed is that feedkeys() was used as part of
foldexpression and it turned out that feedkeys() is allowed in sandbox,
which means malicious file can run arbitrary command via modeline like
this:
vim: fdm=expr fde=feedkeys("\\:!touch\ phantom_was_here\\<cr>")
I guess you can see the consequences. Is this known/intentional?
--
Best regards,
Tomas Golembiovsky
--
|========================|----- - -
|
| Alan's Law of Research
|
| The theory is supported as long as the funds are.
|
|----- - -
