New properties to deny some untrusted code execution

[scintillaDotOrg]

Some new properties have been committed to SciTE to prevent some possible execution of untrusted code.

When some files are downloaded, perhaps a project from GitHub, there may be SciTE.properties files included to customize settings for those files. Some of these are minor like changing the set of keywords for a programming language or the colour of comments but some may have further ramifications.

SciTE.properties may set the Lua scripting file with ext.lua.startup.script which is automatically run. This has legitimate uses such as providing new commands for the downloaded files but may also read and write files or execute commands. Setting  ext.lua.startup.script in SciTE.properties will now be disabled unless allow.local.script is set to 1 in user or global options. allow.local.script also controls whether the extension.<filepattern> property may be set in SciTE.properties.

Script lexers may be implemented in Lua and accessed by specifying lexer.<filepattern>=script_<name> and this is now disabled unless allow.script.lexer is set to 1 in user or global options.

These features are rarely used so requiring an extra property setting is not a large burden.

The properties.local.enable property may be set to 0 to completely disable reading SciTE.properties files. This is a drastic reduction in SciTE capabilities but can be used in particularly security-conscious situations. This setting may evolve in the future with allow-lists or deny-lists for where local options files may be used.

While I haven't heard of any exploits that target SciTE.properties, other more popular editors have been targeted.

The committed changes can be examined either in the repositories

   hg clone http://hg.code.sf.net/p/scintilla/scite

or from

   https://www.scintilla.org/scite.zip Source
   https://www.scintilla.org/wscite.zip Windows executable (64-bit)

Neil