Tuesday, March 28, 2017

Re: Security Risk: (was vim 'less.sh' script probs w/folds)

Christian wrote:

> > Ken Takata wrote:
> > >Hi,
> > >
> > >2017/3/28 Tue 6:19:19 UTC+9 L A Walsh wrote:
> > >>If I have a file with folds in it (fdm=3Dmarker), and I try to
> > >>display it with the vim 'less.sh' script, there doesn't seem to be
> > >>a way to get rid of all the folds (no 'zR'). I can use the cursor
> > >>keys to move to each fold and open it, but that really defeats
> > >>the idea of using 'less' to scroll through the source by pressing
> > >>'space' (for example).
> > >>
> > >>Maybe folds should be disabled for the less.sh script?
> > >
> > >I'm not sure it should be disabled. However, you can use the following
> > >command as a workaround to open all folds:
> > >
> > > :norm! zR
> > ----
> > Thanks for the workaround, but where do I put that to
> > make it default, in the the less.vim file?
>
> You can also use zi or :set nofoldenable or something like this.
>
> > Why would you think it shouldn't be disabled? I.e.
> > how does it help emulate the file-pagers 'less' or 'more' while
> > providing syntax-coloring?
>
> Because less.vim does what Vim would do.
>
> > From a different perspective, how would a non-vim user
> > know what to do to use 'less.sh' if it is supposed to be a pager
> > like 'less' or 'more' to page through file or program text without
> > having various portions of files possibly hidden.
>
> How likely is it, that a non-vim user gets into contact with less.vim?
>
> > It seems that if anyone was using less.sh to display files,
> > as they would 'less' or 'more' (but w/syntax highlighting), then
> > having text being hidden would seem to be a potential security
> > risk, no?
>
> Where do you see a security risk? It is pretty obvious, that a fold is=20
> there, so it should be easy to disable it and then you see what is=20
> hidden behind a fold.
>
> How about the attached patch?
>
> @Bram,
> please see the attached patch. It improves less.vim in several ways:
>
> - Makes 'F' toggle folds to make it easier to disable folds and also
> displays it in the help overview

"F" already has a meaning:
" Re-read file and page forward "tail -f"
map F :e<CR>G<SID>L:sleep 1<CR>F
Your patch overwrites this.

We could use "o" for open and "c" for close, since these would normally
be commands that modify the file, but with less Vim is in read-only
mode, thus these commands won't work.

> - Display 'r' key in the help overview
> - Add <nowait> to the mappings, because when trying out less.vim
> I found quite a few of the keys where not working as expected, since
> many plugins map the same keys (or the same prefix, which make Vim
> wait until the timeout triggers)
>
> On a related note, I see that less.bat and less.sh set 'no_plugin_maps'
> However only 11 of over 200 filetype plugins actually check that
> variable. I suggest to at least add a help tag *no_plugin_maps* to
> encourage filetype plugin writers to respect that variable.

I'll do that.

--
hundred-and-one symptoms of being an internet addict:
223. You set up a web-cam as your home's security system.

/// Bram Moolenaar -- Bram@Moolenaar.net -- http://www.Moolenaar.net \\\
/// sponsor Vim, vote for features -- http://www.Vim.org/sponsor/ \\\
\\\ an exciting new programming language -- http://www.Zimbu.org ///
\\\ help me help AIDS victims -- http://ICCF-Holland.org ///

--
--
You received this message from the "vim_use" maillist.
Do not top-post! Type your reply below the text you are replying to.
For more information, visit http://www.vim.org/maillist.php

---
You received this message because you are subscribed to the Google Groups "vim_use" group.
To unsubscribe from this group and stop receiving emails from it, send an email to vim_use+unsubscribe@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

No comments:

Post a Comment