sponsor Vim development Vim logo Vim Book Ad

securemodelines : Secure, user-configurable modeline support

 script karma  Rating 114/44, Downloaded by 3521  Comments, bugs, improvements  Vim wiki

created by
Ciaran McCreesh
 
script type
utility
 
description
Secure, user-configurable modeline support for Vim 7.

Vim's internal modeline support allows all sorts of annoying and potentially insecure options to be set. This script implements a much more heavily restricted modeline parser that permits only user-specified options to be set.

The g:secure_modelines_allowed_items array contains allowable options. By default it is set as follows:

    let g:secure_modelines_allowed_items = [
                \ "textwidth",   "tw",
                \ "softtabstop", "sts",
                \ "tabstop",     "ts",
                \ "shiftwidth",  "sw",
                \ "expandtab",   "et",   "noexpandtab", "noet",
                \ "filetype",    "ft",
                \ "foldmethod",  "fdm",
                \ "readonly",    "ro",   "noreadonly", "noro",
                \ "rightleft",   "rl",   "norightleft", "norl"
                \ ]

The g:secure_modelines_verbose option, if set to something true, will make the script warn when a modeline attempts to set any other option.

The g:secure_modelines_modelines option overrides the number of lines to check. By default it is 5.

If g:secure_modelines_leave_modeline is defined, the script will not clobber &modeline. Otherwise &modeline will be unset.

Keeping things up to date on vim.org is a nuisance. For the latest version, visit:

    http://github.com/ciaranm/securemodelines
 
install details
Install into your plugin directory of choice.
 

rate this script Life Changing Helpful Unfulfilling 
script versions (upload new version)

Click on the package to download.

package script version date Vim version user release notes
securemodelines.vim 20080424 2008-04-24 7.0 Ciaran McCreesh Two tweaks, thanks to Christian J. Robinson: Make the messages it echoes end up in the :messages history. Modelines of the format "vim: set ...:" can also be be "vim:set ...:".
securemodelines.vim 20070518 2007-05-18 7.0 Ciaran McCreesh The number of lines to search is now controllable via let g:secure_modelines_modelines=5. If g:secure_modelines_leave_modeline is defined, the internal &modeline variable will be left alone. Previously only one line at the end of the document would be searched for modelines. This is now fixed, thanks to Thomas de Grenier de Latour. The <SID>DoModelines function can now be accessed externally via SecureModelines_DoModelines.
securemodelines.vim 20070513 2007-05-13 7.0 Ciaran McCreesh Modelines with no set: are now parsed correctly. rightleft is now included in the default allowed options, for help files. Builtin modelines are now forcibly disabled.
securemodelines.vim 20070409 2007-04-29 7.0 Ciaran McCreesh Initial upload
ip used for rating: 35.170.81.33

If you have questions or remarks about this site, visit the vimonline development pages. Please use this site responsibly.
Questions about Vim should go to the maillist. Help Bram help Uganda.
   
Vim at Github