From: Volker Schlecht Subject: Re: [maintainer update] editors/helix 25.07 To: Laurent Cheylus , ports Date: Wed, 16 Jul 2025 21:17:49 +0200 Committed, thanks. I'm running locally with patches to disable loading workspace-specific helix configuration files. These files can execute arbitrary code by abusing the lsp configuration directive (See https://github.com/helix-editor/helix/issues/9514) Obviously this disables an otherwise documented feature, but since I use helix to open files in ports sources on a regular basis, it's a *very* undesirable feature from my perspective. Patch (including a fix for a whitespace nit) attached. What's your opinion? On 7/16/25 12:29 PM, Laurent Cheylus wrote: > Hi ports@ > > update for editors/helix to the latest version 25.07. > Changelog: https://github.com/helix-editor/helix/blob/master/CHANGELOG.md#2507-2025-07-15 > > - update Makefile, crates.inc and distinfo for this version > - regen patches > - reformat pkg/DESCR for features > > Build and tests OK on current/amd64 with Rust 1.88.0 > > Tests welcome and please commit if OK. > > Laurent > Index: Makefile =================================================================== RCS file: /cvs/ports/editors/helix/Makefile,v retrieving revision 1.12 diff -u -p -r1.12 Makefile --- Makefile 16 Jul 2025 18:42:11 -0000 1.12 +++ Makefile 16 Jul 2025 19:10:11 -0000 @@ -2,6 +2,7 @@ COMMENT = modal text editor VER = 25.07 DISTNAME = helix-${VER} +REVISION = 0 CATEGORIES = editors @@ -27,8 +28,8 @@ COMPILER = base-clang ports-gcc MODULES = devel/cargo -CONFIGURE_STYLE = cargo -SEPARATE_BUILD = Yes +CONFIGURE_STYLE = cargo +SEPARATE_BUILD = Yes pre-extract: @mkdir -p ${WRKDIST} Index: patches/patch-helix-loader_src_config_rs =================================================================== RCS file: patches/patch-helix-loader_src_config_rs diff -N patches/patch-helix-loader_src_config_rs --- /dev/null 1 Jan 1970 00:00:00 -0000 +++ patches/patch-helix-loader_src_config_rs 16 Jul 2025 19:10:11 -0000 @@ -0,0 +1,16 @@ +Don't load workspace-local helix configurations. This might enable +code execution when running helix in an untrusted repository. + +See: https://github.com/helix-editor/helix/issues/2697 + +Index: helix-loader/src/config.rs +--- helix-loader/src/config.rs.orig ++++ helix-loader/src/config.rs +@@ -11,7 +11,6 @@ pub fn default_lang_config() -> toml::Value { + pub fn user_lang_config() -> Result { + let config = [ + crate::config_dir(), +- crate::find_workspace().0.join(".helix"), + ] + .into_iter() + .map(|path| path.join("languages.toml")) Index: patches/patch-helix-term_src_config_rs =================================================================== RCS file: patches/patch-helix-term_src_config_rs diff -N patches/patch-helix-term_src_config_rs --- /dev/null 1 Jan 1970 00:00:00 -0000 +++ patches/patch-helix-term_src_config_rs 16 Jul 2025 19:10:11 -0000 @@ -0,0 +1,23 @@ +Don't load workspace-local helix configurations. This might enable +code execution when running helix in an untrusted repository. + +See: https://github.com/helix-editor/helix/issues/2697 + +Index: helix-term/src/config.rs +--- helix-term/src/config.rs.orig ++++ helix-term/src/config.rs +@@ -58,12 +58,11 @@ impl Display for ConfigLoadError { + impl Config { + pub fn load( + global: Result, +- local: Result, ++ _local: Result, + ) -> Result { + let global_config: Result = + global.and_then(|file| toml::from_str(&file).map_err(ConfigLoadError::BadConfig)); +- let local_config: Result = +- local.and_then(|file| toml::from_str(&file).map_err(ConfigLoadError::BadConfig)); ++ let local_config: Result = Err(ConfigLoadError::default()); + let res = match (global_config, local_config) { + (Ok(global), Ok(local)) => { + let mut keys = keymap::default();