nvi and modelines

[José de Paula]

On Mon, 12 Jul 2004 09:05:53 -0400, N. Thomas <nthomas at cise.ufl.edu> wrote:
> * Jos? de Paula <espinafre at gmail.com> [2004-07-08 23:38:22 -0300]:
> > The nvi manual page says that modelines will never be implemented.
> > Does anyone know the rationale behind this
> 
> Probably because it's a *huge* security risk. Modelines will cause vi to
> read commands from the file. Can you imagine what it could do in the
> wrong hands?
> 
Yes, I can imagine. The last thing we need is macro viruses in a text editor.
However, I believe (please prove me wrong) that restricting the possible
commands on a modeline only to arguments for :set (like vim does) doesn't pose
a security risk.

> Even Vim, preeminent among vi clones, uses only a "stripped down"
> modeline. From the online Vim manual:
> 
>     No other commands than "set" are supported, for security reasons
>     (somebody might create a Trojan horse text file with modelines).
> 
Yep, I saw that; I had this in mind when suggesting modelines for nvi. 
Actually I'm hacking a quick-and-dirty modeline implementation for nvi,
`a la vim (i.e., only accept 'set ' arguments on the modeline). I will post it
somewhere (probably on Usenet, comp.editors) when it is at least compilable.

> Is there something that you want to do with modelines that you can't do
> in nvi?
> 
I can always use nvi -c 'commands', but I think it would be nice  to
have automatic
ts/sw/whatever settings according to the individual file I am editing.
Besides, this is more to increase nvi's compatibility with original vi
than anything else. Think of it as "art for art's sake"; for the
utility, we already have ${FAVORITE_EDITOR}.