vim-patch:9.1.1802: 'nowrap' in a modeline may hide malicious code (#35946)

Problem: 'nowrap' in a modeline may hide malicious code. Solution: Forcibly use '>' as 'listchars' "extends" if 'nowrap' was set from a modeline (zeertzjq). Manual `:setlocal nowrap` disables this behavior. There is a separate problem with `:set nowrap` that also applies to some other options. related: vim/vim#18214 related: vim/vim#18399 closes: vim/vim#18425 9d5208a931 Cherry-pick some test_modeline.vim changes from patches 9.0.{0363,0626}.
2025-11-15 06:49:01 +00:00 · 2025-09-29 07:48:46 +08:00
parent fcf752476a
commit 0fa0717d4e
7 changed files with 89 additions and 12 deletions
--- a/src/nvim/options.lua
+++ b/src/nvim/options.lua
@@ -10811,6 +10811,11 @@ local options = {
        <	See 'sidescroll', 'listchars' and |wrap-off|.
        This option can't be set from a |modeline| when the 'diff' option is
        on.
+        If 'nowrap' was set from a |modeline| or in the |sandbox|, '>' is used
+        as the |lcs-extends| character regardless of the value of the 'list'
+        and 'listchars' options.  This is to prevent malicious code outside
+        the viewport from going unnoticed.  Use `:setlocal nowrap` manually
+        afterwards to disable this behavior.
      ]=],
      full_name = 'wrap',
      redraw = { 'current_window' },