goneovim icon indicating copy to clipboard operation
goneovim copied to clipboard

Published 20 hours ago verified publisher icon akiyosi

Modeline triggers E12 security errors

Open psagers opened this issue 4 years ago • 7 comments

Create a .txt file somewhere with contents like this:

# vim: tw=80 lbr spell

Editing this file in GoNeovim 0.4.7 will cause three errors, one for each modeline setting.

Editing this file in GoNeovim (:e ~/path/to/test.txt) generates the following errors:

Error detected while processing OptionSet Autocommands for "*":
E12: Command not allowed from exrc/vimrc in current dir or tag search
E12: Command not allowed from exrc/vimrc in current dir or tag search
E12: Command not allowed from exrc/vimrc in current dir or tag search

Environment

  • macOS 10.15.6
  • Neovim 0.4.4 (homebrew)
  • GoNeovim 0.4.7 (Github release)
  • No init.vim

psagers avatar Sep 08 '20 19:09 psagers

It seems to be about # sign and txt ftype, not a goneovim issue.

cpkio avatar Sep 09 '20 09:09 cpkio

@psagers @cpkio Hi, Thanks for the contribution. This was an issue with Goneovim. Goneovim needs to detect some Option changes and has its own autocmd to detect them internally. On the other hand, rpcnotify running on this autocmd seems to cause E12 in files with ro or modeline enabled.

The problem with modeline causing E12 has been fixed.

akiyosi avatar Sep 09 '20 13:09 akiyosi

https://github.com/akiyosi/goneovim/commit/9949899bdf9a2128edadbbf30d0cc93d3e761c43#commitcomment-42190807

As for the above comment, I was wrong. I will look at ways around this problem.

akiyosi avatar Sep 27 '20 13:09 akiyosi

@psagers Hi, The error itself could be suppressed by setting the function call with silent!. Please try it. https://github.com/akiyosi/goneovim/actions/runs/278584984

akiyosi avatar Sep 30 '20 13:09 akiyosi

silent! call rpcnotify(0, "Gui", "gonvim_optionset") would presumably suppress the errors. Of course it would apply to more than just modelines and would also suppress any legitimate errors in the future. It might be nice to actually understand what gonvim_optionset is trying to do that Neovim considers to be security-sensitive.

Just a few thoughts. I haven't set up a goneovim build, I just noticed this problem when I was trying it.

psagers avatar Sep 30 '20 15:09 psagers

Sorry, I had the wrong link. I fixed it to the correct link.

Thanks for the comment. Yes, I think we need to understand the harm of suppressing errors. Currently, I don't have any ideas on how to bypass other implementations, so I'd like to make the feature reduction related to this issue a limitation for a while.

akiyosi avatar Sep 30 '20 15:09 akiyosi

Ah, that makes more sense. I can't seem to run the CI builds. It doesn't appear to be a code signing issue, but I'm not sure what else it would be. In any case, the change looks straightforward enough.

Thanks

psagers avatar Sep 30 '20 17:09 psagers