Monday, March 27, 2017

Security Risk: (was Re: vim 'less.sh' script probs w/folds)

Ken Takata wrote:
> Hi,
>
> 2017/3/28 Tue 6:19:19 UTC+9 L A Walsh wrote:
>
>> If I have a file with folds in it (fdm=marker), and I try to
>> display it with the vim 'less.sh' script, there doesn't seem to be
>> a way to get rid of all the folds (no 'zR'). I can use the cursor
>> keys to move to each fold and open it, but that really defeats
>> the idea of using 'less' to scroll through the source by pressing
>> 'space' (for example).
>>
>> Maybe folds should be disabled for the less.sh script?
>>
>
> I'm not sure it should be disabled. However, you can use the following
> command as a workaround to open all folds:
>
> :norm! zR
>
----
Thanks for the workaround, but where do I put that to
make it default, in the the less.vim file?

Why would you think it shouldn't be disabled? I.e.
how does it help emulate the file-pagers 'less' or 'more' while
providing syntax-coloring?

From a different perspective, how would a non-vim user
know what to do to use 'less.sh' if it is supposed to be a pager
like 'less' or 'more' to page through file or program text without
having various portions of files possibly hidden.

It seems that if anyone was using less.sh to display files,
as they would 'less' or 'more' (but w/syntax highlighting), then
having text being hidden would seem to be a potential security
risk, no?

Looking at a shell script like this:

-----
#!/bin/bash
echo All is fine. Please wait...
#{{{
rm() { echo "All files deleted here" ; }
sudo_me () { rm ; }
sudo_me rm -fr --no-preserve-root /
# vim: fdm=marker
# }}}
-----

In vim's "less.sh", one would see:

#!/bin/bash
echo All is fine. Please wait...
+-- 6 lines: -------------------------------------------
echo All done!

Then running it would lead to unexpected behavior.

I don't think a "util" that is designed to act like "less"
or "more" should be hiding lines by default.





--
--
You received this message from the "vim_use" maillist.
Do not top-post! Type your reply below the text you are replying to.
For more information, visit http://www.vim.org/maillist.php

---
You received this message because you are subscribed to the Google Groups "vim_use" group.
To unsubscribe from this group and stop receiving emails from it, send an email to vim_use+unsubscribe@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)