For those who need it, Vim's modeline support can be very useful. For the rest of us, it is nothing but a possible hole in our security.
In case you have not heard of it, vi is the name of one of the two most popular non-IDE editors that programmers use — the other is EMACS. They may even be the two most popular editors that programmers use, even including IDEs. A number of different variants of the vi editor have been created over the years, many of these implementations attempting to improve on its basic functionality. The most popular of these is known as Vim, which its creator Bram Moolenaar tells us means "Vi Improved".
While some users consider Vim to be made of pure excellence through and through, others consider it quite bloated beyond what it should actually provide for users. In fact, a lot of its functionality is somewhat redundant, with newer features providing capabilities that largely duplicate older functionality, with a slightly different flavor. The majority of Vim users do not use more than a tiny fraction of its capabilities.
As a contrasting example, every FreeBSD system comes with another vi implementation called nvi installed by default. It is described as attempting to provide a bug-for-bug compatible replacement for the original Berkeley vi. Meanwhile, many Linux distributions do not provide a separate vi these days, and simply use a version of Vim with a lot of its functionality turned off when the user enters
vi at the shell to start the default visual editor.
Most Vim users enjoy the availability of some functionality that simply does not exist in a more basic implementation of vi, including simple things like better auto-formatting capabilities (e.g., indentation configuration). Using the full-featured Vim editor means getting everything it does, though — the good and the bad. For the majority of users, a configuration option for what Vim calls "modeline" support falls in the latter category.
Modelines are lines that can be added to a text file that tell Vim how it should behave when started, altering standard Vim behavior in some way. Modeline functionality is available in some vi implementations, but others specifically avoid it. For instance, in the nvi manpage:
modelines, modeline [off]
Read the first and last few lines of each file for ex commands.
This option will never be implemented.
Vim, of course, provides more modeline capabilities than probably any other vi implementation. Over the course of its existence, almost two decades ago, this richness of modeline support has created a number of security vulnerabilities. Opening a text file with a maliciously crafted modeline or two in the document could cause something untoward to occur. For the most part, such vulnerabilities have been fixed, but the very fact that such vulnerabilities can occur should be no surprise at all when one considers that modeline support executes any of a number of frighteningly arbitrary Vim commands embedded in the file.
Some effort is made to limit the damage that can be done by modelines, of course. For instance, the only modeline commands that Vim will execute are
set commands. Even so, combining certain
set commands with later commands issued by the user may lead to unfortunate effects, and some
set commands can load another file to be executed by Vim's sophisticated customization capabilities to ill effect as well.
For most users, modeline support is entirely unnecessary. Since modeline support is easily deactivated in Vim's configuration file, it is probably desirable for most users to ensure that modeline support is turned off. In fact, for the standard install of Vim on many OSs, modeline support is turned off by default.
You can check whether modeline support is active with this Vim command:
If modeline parsing is active, it will inform you with the output
modeline. Otherwise, it will tell you that modeline support is not active with
nomodeline. To be absolutely certain it is turned off, though, there are two different ways to ensure that modelines are not parsed in your
.vimrc configuration file. Either will work; using both will not hurt anything.
modelines=0, will set the number of modelines Vim parses, when it starts, to zero — which means that, even if modeline support is turned on, no modelines will be parsed at all. The second,
nomodeline, will simply turn off modeline parsing altogether. The especially cautious user may add both settings.
Chad Perrin is an IT consultant, developer, and freelance professional writer. He holds both Microsoft and CompTIA certifications and is a graduate of two IT industry trade schools.