Download raw body.
[maintainer update] editors/helix 25.07
Committed, thanks.
I'm running locally with patches to disable loading workspace-specific
helix configuration files.
These files can execute arbitrary code by abusing the lsp configuration
directive (See https://github.com/helix-editor/helix/issues/9514)
Obviously this disables an otherwise documented feature, but since I use
helix to open files in ports sources on a regular basis, it's a *very*
undesirable feature from my perspective.
Patch (including a fix for a whitespace nit) attached. What's your
opinion?
On 7/16/25 12:29 PM, Laurent Cheylus wrote:
> Hi ports@
>
> update for editors/helix to the latest version 25.07.
> Changelog: https://github.com/helix-editor/helix/blob/master/CHANGELOG.md#2507-2025-07-15
>
> - update Makefile, crates.inc and distinfo for this version
> - regen patches
> - reformat pkg/DESCR for features
>
> Build and tests OK on current/amd64 with Rust 1.88.0
>
> Tests welcome and please commit if OK.
>
> Laurent
>
Index: Makefile
===================================================================
RCS file: /cvs/ports/editors/helix/Makefile,v
retrieving revision 1.12
diff -u -p -r1.12 Makefile
--- Makefile 16 Jul 2025 18:42:11 -0000 1.12
+++ Makefile 16 Jul 2025 19:10:11 -0000
@@ -2,6 +2,7 @@ COMMENT = modal text editor
VER = 25.07
DISTNAME = helix-${VER}
+REVISION = 0
CATEGORIES = editors
@@ -27,8 +28,8 @@ COMPILER = base-clang ports-gcc
MODULES = devel/cargo
-CONFIGURE_STYLE = cargo
-SEPARATE_BUILD = Yes
+CONFIGURE_STYLE = cargo
+SEPARATE_BUILD = Yes
pre-extract:
@mkdir -p ${WRKDIST}
Index: patches/patch-helix-loader_src_config_rs
===================================================================
RCS file: patches/patch-helix-loader_src_config_rs
diff -N patches/patch-helix-loader_src_config_rs
--- /dev/null 1 Jan 1970 00:00:00 -0000
+++ patches/patch-helix-loader_src_config_rs 16 Jul 2025 19:10:11 -0000
@@ -0,0 +1,16 @@
+Don't load workspace-local helix configurations. This might enable
+code execution when running helix in an untrusted repository.
+
+See: https://github.com/helix-editor/helix/issues/2697
+
+Index: helix-loader/src/config.rs
+--- helix-loader/src/config.rs.orig
++++ helix-loader/src/config.rs
+@@ -11,7 +11,6 @@ pub fn default_lang_config() -> toml::Value {
+ pub fn user_lang_config() -> Result<toml::Value, toml::de::Error> {
+ let config = [
+ crate::config_dir(),
+- crate::find_workspace().0.join(".helix"),
+ ]
+ .into_iter()
+ .map(|path| path.join("languages.toml"))
Index: patches/patch-helix-term_src_config_rs
===================================================================
RCS file: patches/patch-helix-term_src_config_rs
diff -N patches/patch-helix-term_src_config_rs
--- /dev/null 1 Jan 1970 00:00:00 -0000
+++ patches/patch-helix-term_src_config_rs 16 Jul 2025 19:10:11 -0000
@@ -0,0 +1,23 @@
+Don't load workspace-local helix configurations. This might enable
+code execution when running helix in an untrusted repository.
+
+See: https://github.com/helix-editor/helix/issues/2697
+
+Index: helix-term/src/config.rs
+--- helix-term/src/config.rs.orig
++++ helix-term/src/config.rs
+@@ -58,12 +58,11 @@ impl Display for ConfigLoadError {
+ impl Config {
+ pub fn load(
+ global: Result<String, ConfigLoadError>,
+- local: Result<String, ConfigLoadError>,
++ _local: Result<String, ConfigLoadError>,
+ ) -> Result<Config, ConfigLoadError> {
+ let global_config: Result<ConfigRaw, ConfigLoadError> =
+ global.and_then(|file| toml::from_str(&file).map_err(ConfigLoadError::BadConfig));
+- let local_config: Result<ConfigRaw, ConfigLoadError> =
+- local.and_then(|file| toml::from_str(&file).map_err(ConfigLoadError::BadConfig));
++ let local_config: Result<ConfigRaw, ConfigLoadError> = Err(ConfigLoadError::default());
+ let res = match (global_config, local_config) {
+ (Ok(global), Ok(local)) => {
+ let mut keys = keymap::default();
[maintainer update] editors/helix 25.07