This plugin distibuted with vim?

[ffes]

Are you aware of this issue: vim/vim#2286

Please note the last part of it 😉

[sgur]

Oh, I forgot the issue.
Of course, there are no problem for me.

[andymass]

There are some security issues which should be addressed before considering distribution with vim. Modelines are widely considered insecure, but editorconfig is much worse. Consider:

charset = cp932 | !echo "you've been hacked 1"
spell_language = en_us | !echo "you've been hacked 2"

Not to mention the local_vim option, which should be blacklisted by default.

[sgur]

Thank you for your reporting.
I created an issue #31

[polyzen]

Bump

[andymass]

Here is another exploit. Allows sourcing any vim script regardless of user's settings.

[*]
charset = cp932 foldexpr:execute(\"let\ g:editorconfig_local_vimrc\\75\ 1\") foldmethod:expr foldenable foldlevel:0
local_vimrc = exploit

Just to be clear: this is a very fine plugin and it does what it was designed to do. But more users should be doing extensive testing and hardening, especially if they want it to be considered for inclusion in vim (even though this happening is far from guaranteed for a variety of reasons also not related to the quality of this plugin.)

[sgur]

Thank you for reporting.

I created #33.

[sgur]

I fixed #31 and #33.

I would appreciate that you reported such issues becase this plugin was created for my convenience so I wasn't concerned about security issues.

[chrisbra]

BTW: if you really want to have your plugin included with Vim, I suggest mentioning it at the Vim issue. You should mention your license, that you intend to maintain it (which means that whenever you have a release ready for inclusion with Vim, submit the whole plugin to Bram).

[lollipopman]

@sgur are you interested, per my recent comment, vim/vim#2286 (comment)