Item 42256834

ramses0 • 19 hours ago

vim used to have similar vulnerabilities (maybe still does?) via modelines:

https://security.stackexchange.com/questions/36001/vim-model...

https://lwn.net/Articles/20249/

Circa 2002-2003, and the LWN comment describing the exact same scope:

"""emacs is the same, if not worse. (See the node File Variables in the info docs.) You get not only to set random buffer-local variables, but also to evaluate arbitrary lisp code. Ouch!"""

Ferret7446 • 9 hours ago

At least for file variables, Emacs prompts before loading untrusted values.

nicce • 19 hours ago

Someone took the first tomato!

1 reply

ramses0 • 17 hours ago

I'm firmly in the vim camp, just wanting to share the history, utterly surprised (but not...) that it's ~25+ years in the making.

Funny story once checking a bug report, OG founder of the company dropped in: "I like to check in on my bug reports every 10 years..."

It's not just an open-source issue, hard decisions are hard decisions.