Comment by ramses0

1 year ago

vim used to have similar vulnerabilities (maybe still does?) via modelines:

https://security.stackexchange.com/questions/36001/vim-model...

https://lwn.net/Articles/20249/

Circa 2002-2003, and the LWN comment describing the exact same scope:

"""emacs is the same, if not worse. (See the node File Variables in the info docs.) You get not only to set random buffer-local variables, but also to evaluate arbitrary lisp code. Ouch!"""

3 comments

ramses0

Ferret7446 1 year ago

At least for file variables, Emacs prompts before loading untrusted values.

nicce 1 year ago

Someone took the first tomato!

ramses0 1 year ago

I'm firmly in the vim camp, just wanting to share the history, utterly surprised (but not...) that it's ~25+ years in the making.
Funny story once checking a bug report, OG founder of the company dropped in: "I like to check in on my bug reports every 10 years..."
It's not just an open-source issue, hard decisions are hard decisions.