Ex command substitutions (:help cmdline-special) seem to be done on the keyword
when using the K command. Due to normal settings for iskeyword this won't
usually
show up for K, but will for {Visual}K if you, e.g., highlight a URL with a # in
it
and use K on it (with keywordprg set to 'firefox' or something--'open' for me
on
Mac OS X--this makes sense: in fact it is very useful). If there is no
alternate
file you get an error in Vim, but if there is one, nonsense just gets passed to
the shell. It should be checked that the keyword is properly shell-escaped,
too. I
can't quickly think of a way to easily exploit this one, so I don't think it's
a
security risk, but it's definitely a bug.
Ben.
--~--~---------~--~----~------------~-------~--~----~
You received this message from the "vim_dev" maillist.
For more information, visit http://www.vim.org/maillist.php
-~----------~----~----~----~------~----~------~--~---
