Doesn’t vim also have some ability, easily abused, to put a script at the top of a file, and it’ll just run when you open the thing?
This seems like a really useful functionality to have in the context where you actually do trust the files, but it is wildly insecure and an unexpected trapdoor, to have simple files executing things when you open them with a simple text editor…
Emacs has that, too. There are protections in that case, though. See: https://www.gnu.org/software/emacs/manual/html_node/emacs/Sa...
Probably going to add similar protections here? Basically, I'd assume if it is your first time visiting a file, macros won't be expanded during autocompletion.
I dunno. I can see why this functionality might be useful, but I kinda think distros should disable it by default/make it whitelist-only.
I think the implications are really unexpected for “new” users (where “new” could be pretty generously defined, I mean, I know a couple people who use vim IRL, I think they would not expect this… it is the sort of thing you know about if you are somebody who goes online to talk about text editors I think). And these are also the sort of users who are used to seeing shebangs and other line noise at the top of files, not understanding it, and ignoring it.
I think we’re only being protected by the fact that spreading a virus though command-line text editors is… going to result in not a ton of hits.
I'm confused. Per the doc, it is disabled by default? Specifically, the first time it is encountered on a file, it will ask the user if they want to allow it. And they flat out don't ever do things like "eval" during these values.
That's a different potential vulnerability. I knew about that one (and had disabled the running of such scripts). I didn't know about this one till today.
Helping me finish typing the name of a function or variable ("completion") is not the sort of thing I expected (till today) the maintainers of Emacs to be so eager to do that they'd start running code that I never asked to be run.
A common pitfall of IDE integration for dynamic languages is that it tends to execute the code under test to provide contextual completion or may decide to run doctests, etc. This has been/is a problem with editing Ruby code, and perhaps Python code and more too too. I'm unsure if this is a problem editing vimscript or lua with NeoVim with the only non-evidence is that I haven't heard of it.