On 2025-12-18 10:47 am, Christian Brabandt wrote:
> On Do, 18 Dez 2025, Chainsaw wrote:
>
>> The PATH variable does not matter for an executable if you are in the
>> directory of the executable, or using the absolute path. When a
>> command is
>> issued at the CMD prompt, the Operating System will first look for an
>> executable file in the current folder, if not found it will scan
>> %PATH% to
>
> Which is a huge security issue by itself. There is a reason why almost
> no other shell behaves like this and even powershell did not inherit
> this behavior. In fact MS introduced the
> $NoDefaultCurrentDirectoryInExePath environment variable to enable
> customers to disable this behaviour.
>
> And Vim does set this environment variable since patch 9.1.1947 (see
> https://github.com/vim/vim/security/advisories/GHSA-g77q-xrww-p834 for
> the reasoning).
>
> I'd recommend not to rely on that behavior (e.g. what happens if you
> have a malicious dir.cmd in your current directory)?
>
> In any case, I suppose you could disable this behavior by unsetting
> $NoDefaultCurrentDirectoryInExePath from your environment, like:
> set NoDefaultCurrentDirectoryInExePath=
>
>> (I do consider this a bug because I should not have to include current
>> directory in path).
>
> Well, I don't :)
>
> Thanks,
> Chris
> --
> And in the heartbreak years that lie ahead,
> Be true to yourself and the Grateful Dead.
> -- Joan Baez
>
> --
Chris,
Thanks for the info. Sorry for calling it a bug, it was the sudden
change in Vims behavior that threw me off. I download the updates daily
and do read the description of changes, but 9.1.1947 happened right at
the time I was swithing over to a new Windows 11 machine, which is why I
never saw this in Win10, and accociated it with a Vim Win11 problem.
Guess I spoke too soon.
I do like the option to set NoDefaultCurrentDirectoryInExePath, however
a malicious executable could also be anywhere in your PATH, and so many
programs/scripts rely on the OS to search the current directory first.
This is one of those 'fixes' that has pros and cons.
Thanks again for everyones help, and thank you Chris and your team for
keeping Vim alive.
Chainsaw
--
--
You received this message from the "vim_use" maillist.
Do not top-post! Type your reply below the text you are replying to.
For more information, visit http://www.vim.org/maillist.php
---
You received this message because you are subscribed to the Google Groups "vim_use" group.
To unsubscribe from this group and stop receiving emails from it, send an email to vim_use+unsubscribe@googlegroups.com.
To view this discussion visit https://groups.google.com/d/msgid/vim_use/5967d1175358a53d9551d5995ff3bfe4%40fourbarlinkage.net.
Subscribe to:
Post Comments (Atom)
No comments:
Post a Comment