[vim/vim] Create a fallback compatibility option for patch 9.2.0405 (PR #20162)

[MiguelBarro]

The patch 9.2.0405 effectively disables the use of remote URIs in tag files.
That is, it disables :tag / netrw integration. Is no longer possible to use :tag commands to:

• ssh (or ftp, sftp, etc) into another computer.
• open sources in github, gitlab, etc...

I believe both scenarios are quite common nowadays and backward compatibility should be provided using a specific option.
In this PR I propose 'tagsecure' because:

• all tag options are prefixed with 'tag'
• there is a 'secure' option already.

---

You can view, comment on, or merge this pull request online at:

  https://github.com/vim/vim/pull/20162

Commit Summary

• eb1a6a8 Introduced 'tagsecure' option
• 75939c5 'tagsecure' option docs

File Changes

(10 files)

• M runtime/doc/options.txt (6)
• M runtime/doc/quickref.txt (1)
• M runtime/doc/tags (4)
• M runtime/doc/tagsrch.txt (3)
• M runtime/optwin.vim (2)
• M runtime/syntax/vim.vim (8)
• M src/option.h (1)
• M src/optiondefs.h (3)
• M src/tag.c (8)
• M src/testdir/test_tagjump.vim (13)

Patch Links:

• https://github.com/vim/vim/pull/20162.patch
• https://github.com/vim/vim/pull/20162.diff

—
Reply to this email directly, view it on GitHub, or unsubscribe.
Triage notifications on the go with GitHub Mobile for iOS or Android.
You are receiving this because you are subscribed to this thread.Message ID: <vim/vim/pull/20162@github.com>

[MiguelBarro]

@MiguelBarro pushed 2 commits.

• 4474dfa Introduced 'tagsecure' option
• 87aed64 'tagsecure' option docs

—
View it on GitHub or unsubscribe.

Triage notifications on the go with GitHub Mobile for iOS or Android.

You are receiving this because you are subscribed to this thread.Message ID: <vim/vim/pull/20162/before/75939c5260499b68ef4d617fba57d70e1ce4b41a/after/87aed6436afc03b2af48889201dc472bc8c97bab@github.com>

[zeertzjq]

zeertzjq left a comment (vim/vim#20162)

The problem that patch 9.2.0405 attempts to solve is that opening URLs via tags allows environment variable exfiltration. If patch 9.2.0405 was too restrictive then I think the alternative solution (disabling environment expansion in tag URLs) should be used instead.

—
Reply to this email directly, view it on GitHub, or unsubscribe.
Triage notifications on the go with GitHub Mobile for iOS or Android.

You are receiving this because you are subscribed to this thread.Message ID: <vim/vim/pull/20162/c4402151823@github.com>

[Christian Brabandt]

chrisbra left a comment (vim/vim#20162)

Is this really that common? It's not only about environment variable exfiltration but you know what can happen if your tag lookup starts querying a random URL (which can be quite unexpected)

—
Reply to this email directly, view it on GitHub, or unsubscribe.
Triage notifications on the go with GitHub Mobile for iOS or Android.

You are receiving this because you are subscribed to this thread.Message ID: <vim/vim/pull/20162/c4407370480@github.com>