refactor: deprecate 'secure' option

Now that 'exrc' files must be explicitly marked trusted there is no need to constrain what can be done in them.
2025-09-14 23:38:17 +00:00 · 2022-11-06 19:44:30 -07:00
parent 294910a1ff
commit 6d9c3d903e
10 changed files with 14 additions and 52 deletions
--- a/runtime/doc/options.txt
+++ b/runtime/doc/options.txt
@@ -5129,19 +5129,6 @@ A jump table for the options with a short description can be found at |Q_op|.
 	two letters (See |object-motions|).  The default makes a section start
 	at the nroff macros ".SH", ".NH", ".H", ".HU", ".nh" and ".sh".
 						*'secure'* *'nosecure'* *E523*
 'secure'		boolean	(default off)
 			global
 	When on, ":autocmd", shell and write commands are not allowed in
 	".nvimrc" and ".exrc" in the current directory and map commands are
 	displayed.  Switch it off only if you know that you will not run into
 	problems, or when the 'exrc' option is off.  On Unix this option is
 	only used if the ".nvimrc" or ".exrc" is not owned by you.  This can be
 	dangerous if the systems allows users to do a "chown".  You better set
 	'secure' at the end of your |init.vim| then.
 	This option cannot be set from a |modeline| or in the |sandbox|, for
 	security reasons.
 						*'selection'* *'sel'*
 'selection' 'sel'	string	(default "inclusive")
 			global
--- a/runtime/doc/vim_diff.txt
+++ b/runtime/doc/vim_diff.txt
@@ -641,6 +641,9 @@ Options:
  *'prompt'* *'noprompt'*
  *'remap'* *'noremap'*
  *'restorescreen'* *'rs'* *'norestorescreen'* *'nors'*
  *'secure'*
    Everything is allowed in 'exrc' files since they must be explicitly marked
    trusted.
  *'shelltype'*
  *'shortname'* *'sn'* *'noshortname'* *'nosn'*
  *'swapsync'* *'sws'*
--- a/src/nvim/ex_cmds.c
+++ b/src/nvim/ex_cmds.c
@@ -1134,8 +1134,7 @@ void do_bang(int addr_count, exarg_T *eap, bool forceit, bool do_in, bool do_out
  int scroll_save = msg_scroll;
  //
-  // Disallow shell commands from .exrc and .vimrc in current directory for
+  // Disallow shell commands in secure mode
  // security reasons.
  //
  if (check_secure()) {
    return;
@@ -1477,8 +1476,7 @@ filterend:
 /// @param flags  may be SHELL_DOOUT when output is redirected
 void do_shell(char *cmd, int flags)
 {
-  // Disallow shell commands from .exrc and .vimrc in current directory for
+  // Disallow shell commands in secure mode
  // security reasons.
  if (check_secure()) {
    msg_end();
    return;
@@ -3215,8 +3213,7 @@ void ex_z(exarg_T *eap)
  ex_no_reprint = true;
 }
-/// @return  true if the secure flag is set (.exrc or .vimrc in current directory)
+/// @return  true if the secure flag is set and also give an error message.
 ///          and also give an error message.
 ///          Otherwise, return false.
 bool check_secure(void)
 {
--- a/src/nvim/ex_docmd.c
+++ b/src/nvim/ex_docmd.c
@@ -4223,8 +4223,7 @@ theend:
 static void ex_autocmd(exarg_T *eap)
 {
-  // Disallow autocommands from .exrc and .vimrc in current
+  // Disallow autocommands in secure mode.
  // directory for security reasons.
  if (secure) {
    secure = 2;
    eap->errmsg = _(e_curdir);
--- a/src/nvim/fileio.c
+++ b/src/nvim/fileio.c
@@ -2211,8 +2211,7 @@ int buf_write(buf_T *buf, char *fname, char *sfname, linenr_T start, linenr_T en
    return FAIL;
  }
-  // Disallow writing from .exrc and .vimrc in current directory for
+  // Disallow writing in secure mode.
  // security reasons.
  if (check_secure()) {
    return FAIL;
  }
--- a/src/nvim/globals.h
+++ b/src/nvim/globals.h
@@ -489,8 +489,7 @@ EXTERN int stdin_fd INIT(= -1);
 // true when doing full-screen output, otherwise only writing some messages.
 EXTERN int full_screen INIT(= false);
-/// Non-zero when only "safe" commands are allowed, e.g. when sourcing .exrc or
+/// Non-zero when only "safe" commands are allowed
 /// .vimrc in current directory.
 EXTERN int secure INIT(= 0);
 /// Non-zero when changing text and jumping to another window or editing another buffer is not
@@ -864,7 +863,7 @@ EXTERN char e_api_spawn_failed[] INIT(= N_("E903: Could not spawn API job"));
 EXTERN char e_argreq[] INIT(= N_("E471: Argument required"));
 EXTERN char e_backslash[] INIT(= N_("E10: \\ should be followed by /, ? or &"));
 EXTERN char e_cmdwin[] INIT(= N_("E11: Invalid in command-line window; <CR> executes, CTRL-C quits"));
-EXTERN char e_curdir[] INIT(= N_("E12: Command not allowed from exrc/vimrc in current dir or tag search"));
+EXTERN char e_curdir[] INIT(= N_("E12: Command not allowed in secure mode in current dir or tag search"));
 EXTERN char e_command_too_recursive[] INIT(= N_("E169: Command too recursive"));
 EXTERN char e_endif[] INIT(= N_("E171: Missing :endif"));
 EXTERN char e_endtry[] INIT(= N_("E600: Missing :endtry"));
--- a/src/nvim/main.c
+++ b/src/nvim/main.c
@@ -1989,32 +1989,15 @@ static void source_startup_scripts(const mparm_T *const parmp)
    do_system_initialization();
    if (do_user_initialization()) {
-      // Read initialization commands from ".vimrc" or ".exrc" in current
+      // Read initialization commands from ".nvimrc" or ".exrc" in current
      // directory.  This is only done if the 'exrc' option is set.
      // Because of security reasons we disallow shell and write commands
      // now, except for unix if the file is owned by the user or 'secure'
      // option has been reset in environment of global "exrc" or "vimrc".
      // Only do this if VIMRC_FILE is not the same as vimrc file sourced in
      // do_user_initialization.
 #if defined(UNIX)
      // If vimrc file is not owned by user, set 'secure' mode.
      if (!os_file_owned(VIMRC_FILE))  // NOLINT(readability/braces)
 #endif
      secure = p_secure;
      char *str = nlua_read_secure(VIMRC_FILE);
      if (str != NULL) {
        do_source_str(str, VIMRC_FILE);
        xfree(str);
      } else {
 #if defined(UNIX)
        // if ".exrc" is not owned by user set 'secure' mode
        if (!os_file_owned(EXRC_FILE)) {
          secure = p_secure;
        } else {
          secure = 0;
        }
 #endif
        str = nlua_read_secure(EXRC_FILE);
        if (str != NULL) {
          do_source_str(str, EXRC_FILE);
@@ -2022,10 +2005,6 @@ static void source_startup_scripts(const mparm_T *const parmp)
        }
      }
    }
    if (secure == 2) {
      need_wait_return = true;
    }
    secure = 0;
  }
  TIME_MSG("sourcing vimrc file(s)");
 }
--- a/src/nvim/mapping.c
+++ b/src/nvim/mapping.c
@@ -2446,8 +2446,7 @@ void ex_abbreviate(exarg_T *eap)
 /// ":map" and friends.
 void ex_map(exarg_T *eap)
 {
-  // If we are sourcing .exrc or .vimrc in current directory we
+  // If we are in a secure mode we print the mappings for security reasons.
  // print the mappings for security reasons.
  if (secure) {
    secure = 2;
    msg_outtrans(eap->cmd);
--- a/src/nvim/options.lua
+++ b/src/nvim/options.lua
@@ -2007,7 +2007,7 @@ return {
    },
    {
      full_name='secure',
-      short_desc=N_("mode for reading .vimrc in current dir"),
+      short_desc=N_("No description"),
      type='bool', scope={'global'},
      secure=true,
      varname='p_secure',
--- a/src/nvim/runtime.c
+++ b/src/nvim/runtime.c
@@ -1930,7 +1930,7 @@ int do_source(char *fname, int check_other, int is_vimrc)
  cookie.fp = fopen_noinh_readbin(fname_exp);
  if (cookie.fp == NULL && check_other) {
-    // Try again, replacing file name ".vimrc" by "_vimrc" or vice versa,
+    // Try again, replacing file name ".nvimrc" by "_nvimrc" or vice versa,
    // and ".exrc" by "_exrc" or vice versa.
    p = path_tail(fname_exp);
    if ((*p == '.' || *p == '_')