diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..926ccaa --- /dev/null +++ b/.gitignore @@ -0,0 +1 @@ +doc/tags diff --git a/README.md b/README.md new file mode 100644 index 0000000..3dd21f4 --- /dev/null +++ b/README.md @@ -0,0 +1,18 @@ +# securemodelines +A secure alternative to Vim modelines + +Vim's internal modeline support allows all sorts of annoying and potentially insecure options to be set. This script implements a much more heavily restricted modeline parser that permits only user-specified options to be set. + +The `g:secure_modelines_allowed_items` array contains allowed options. See `:help securemodelines_options` for default values. + +The `g:secure_modelines_verbose` variable, if set to something true, will make the script warn when a modeline attempts to set any other option. + +The `g:secure_modelines_modelines` variable overrides the number of lines to check. By default it is 5. + +If `g:secure_modelines_leave_modeline` is defined, the script will not clobber &modeline. Otherwise &modeline will be unset. + +Keeping things up to date on vim.org is a nuisance. For the latest version, visit: http://github.com/ciaranm/securemodelines + +Install into your plugin directory of choice. + +vim.org: http://www.vim.org/scripts/script.php?script_id=1876 diff --git a/doc/securemodelines.txt b/doc/securemodelines.txt new file mode 100644 index 0000000..1b91f98 --- /dev/null +++ b/doc/securemodelines.txt @@ -0,0 +1,63 @@ +*securemodelines.txt* A secure alternative to Vim modelines + +vim.org: http://www.vim.org/scripts/script.php?script_id=1876 + +For the latest version, visit: http://github.com/ciaranm/securemodelines + +Author: Ciaran McCreesh + +============================================================================== +0. Contents *securemodelines-toc* + + 1. Functionality..........................: |securemodelines-plugin| + 2. Plugin settings........................: |securemodelines-settings| + 2.1 Allowed modeline options...............: |securemodelines_options| + +============================================================================== + *securemodelines-plugin* + +1. Functionality + +Vim's internal modeline support allows all sorts of annoying and +potentially insecure options to be set. This script implements a much +more heavily restricted modeline parser that permits only user-specified +options to be set. + + *securemodelines-settings* +2. Options + +The g:secure_modelines_allowed_items array contains allowed options. +By default it is set as follows: + + *securemodelines_options* +let g:secure_modelines_allowed_items = [ + \ "textwidth", "tw", + \ "softtabstop", "sts", + \ "tabstop", "ts", + \ "shiftwidth", "sw", + \ "expandtab", "et", "noexpandtab", "noet", + \ "filetype", "ft", + \ "foldmethod", "fdm", + \ "formatoptions", "fo", + \ "readonly", "ro", "noreadonly", "noro", + \ "rightleft", "rl", "norightleft", "norl", + \ "cindent", "cin", "nocindent", "nocin", + \ "smartindent", "si", "nosmartindent", "nosi", + \ "autoindent", "ai", "noautoindent", "noai", + \ "spell", "nospell", + \ "spelllang" + \ ] + +The g:secure_modelines_verbose variable, if set to something true, will +make the script warn when a modeline attempts to set any other option. + +The g:secure_modelines_modelines variable overrides the number of lines +to check. By default it is 5. + +If g:secure_modelines_leave_modeline is defined, the script will not +clobber &modeline. Otherwise &modeline will be unset. + +Install into your plugin directory of choice. + +============================================================================== +vim:tw=78:ts=8:ft=help diff --git a/plugin/securemodelines.vim b/plugin/securemodelines.vim index e23429f..facef43 100644 --- a/plugin/securemodelines.vim +++ b/plugin/securemodelines.vim @@ -13,21 +13,23 @@ let g:loaded_securemodelines = 1 if (! exists("g:secure_modelines_allowed_items")) let g:secure_modelines_allowed_items = [ - \ "textwidth", "tw", - \ "softtabstop", "sts", - \ "tabstop", "ts", - \ "shiftwidth", "sw", - \ "expandtab", "et", "noexpandtab", "noet", - \ "filetype", "ft", - \ "foldmethod", "fdm", - \ "readonly", "ro", "noreadonly", "noro", - \ "rightleft", "rl", "norightleft", "norl", - \ "cindent", "cin", "nocindent", "nocin", - \ "smartindent", "si", "nosmartindent", "nosi", - \ "autoindent", "ai", "noautoindent", "noai", - \ "spell", "nospell", - \ "spelllang" - \ ] + \ "textwidth", "tw", + \ "softtabstop", "sts", + \ "tabstop", "ts", + \ "shiftwidth", "sw", + \ "expandtab", "et", "noexpandtab", "noet", + \ "filetype", "ft", + \ "foldmethod", "fdm", + \ "foldmarker", "fmr", + \ "formatoptions", "fo", + \ "readonly", "ro", "noreadonly", "noro", + \ "rightleft", "rl", "norightleft", "norl", + \ "cindent", "cin", "nocindent", "nocin", + \ "smartindent", "si", "nosmartindent", "nosi", + \ "autoindent", "ai", "noautoindent", "noai", + \ "spell", "nospell", + \ "spelllang" + \ ] endif if (! exists("g:secure_modelines_verbose")) @@ -54,7 +56,7 @@ fun! IsInList(list, i) abort endfun fun! DoOne(item) abort - let l:matches = matchlist(a:item, '^\([a-z]\+\)\%([-+^]\?=[a-zA-Z0-9_\-,.]\+\)\?$') + let l:matches = matchlist(a:item, '^\([a-z]\+\)\%([-+^]\?=[a-zA-Z0-9_\-,.\[\]]\+\)\?$') if len(l:matches) > 0 if IsInList(g:secure_modelines_allowed_items, l:matches[1]) exec "setlocal " . a:item