[vim/vim] Safe exrc (#7981)
Hritik Vijay
A per project configuration appears to be something that is really needed inside vim. We're having more and more collaborative work and every project follows its own taste. Exrc option solves the issue but brings potentially hazardous problems like code execution and what not.
I'd like to propose a vim variables files on per project basis. Let's say there would be a file named .vimvar in project root which vim would read and only use to set some variables. The syntax of .vimvar could be any key value pair.
After reading those variables they could be reflected as g:project_local_<var_name> which could further be used inside the global vimrc to archive desired results.
For example, if there's a plugin which requires to provide the linter name to use in g:plugin_linter variable, one could simple set that variable to g:plugin_linter = g:project_local_linter and the project based linter would be used.
—
You are receiving this because you are subscribed to this thread.
Reply to this email directly, view it on GitHub, or unsubscribe.
Christian Brabandt
Is this anything, that a editorconfig file would not solve?
Christian Brabandt
related: #2286
Hritik Vijay
Editorconfig looks very promising but it restricts itself to very few configurations that could be set in a local file. This enhancement would introduce a list of key-value pairs that could be used to potentially configure anything inside vim. Consider the original example, I could not find a way in editorconfig to achieve that.
Maxim Kim
I'd like to propose a vim variables files on per project basis.
What is a project?
A per project configuration appears to be something that is really needed inside vim.
It looks like it could be solved by a plugin.
Gary Johnson
> I'd like to propose a vim variables files on per project basis.
>
> What is a project?
>
> A per project configuration appears to be something that is really needed
> inside vim.
>
> It looks like it could be solved by a plugin.
of thing should work.
Regards,
Gary
vim-dev ML
>
>
> A per project configuration appears to be something that is really needed
> inside vim.
>
Yes, especially since everyone has a different idea of how this sort
of thing should work.
Regards,
Gary
ii14
Isn't 'exrc' with 'secure' just that?
A counterpoint, you can always set some option like &makeprg or a variable that is being executed somewhere down the line to something malicious either way.
In my opinion a good way to solve the exrc problem is to store file hashes of known exrc files and source them only after the user explicitly confirms that the file is safe. But this can be easily done with a plugin and I did just that.
—
You are receiving this because you commented.
Bram Moolenaar
I do not think this could be done within Vim in a way that it would please many users. There are just too many different setups that people use. In your private directories you can just execute any commands you have put there. If you work with a team you may be OK to execute some scripts that the team has made together. If you are in a company you may want to (or have to) follow policies. If you clone something random from github you should not trust anything.
You can easily add some files to a project and add a plugin that reads them. E.g. to run checks before writing a file to check for style rules and mandatory indenting. You can already do that, no need to change Vim. There can be several plugins that compete over the best way to do this.
—
You are receiving this because you commented.
Hritik Vijay
You're right. It should be done by a plugin, not vim itself.
—
You are receiving this because you commented.