edit-in-kitty: Ignore environment variables as some editors execute code present in env vars

2026-06-06 09:15:57 +02:00 · 2026-04-04 08:42:06 +05:30
parent 4aa7739bdd
commit 8bf1bd479b
3 changed files with 6 additions and 1 deletions
--- a/docs/changelog.rst
+++ b/docs/changelog.rst
@@ -217,6 +217,8 @@ Detailed list of changes

 - Password input in kittens: hide the cursor and display a blinking 🔒 at the end of typed characters to make it visually clear the user is entering a password

+- edit-in-kitty: Ignore environment variables as some editors execute code present in env vars
+

 0.46.2 [2026-03-21]
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
--- a/docs/shell-integration.rst
+++ b/docs/shell-integration.rst
@@ -313,7 +313,8 @@ window, etc. Not all arguments are supported, see the discussion in the
 :ref:`clone_shell` section above.

 In order to avoid remote code execution, kitty will only execute the configured
-editor and pass the file path to edit to it.
+editor and pass the file path to edit to it and it will strip all environment
+variables from the :command:`edit-in-kitty` command line.

 .. note:: To edit files using sudo the best method is to set the
   :code:`SUDO_EDITOR` environment variable to ``kitten edit-in-kitty`` and
--- a/kitty/launch.py
+++ b/kitty/launch.py
@@ -1109,6 +1109,8 @@ def remote_edit(msg: str, window: Window) -> None:
        return
    cmdline = get_editor(path_to_edit=c.file_localpath, line_number=c.line_number)
    c.opts.source_window = c.opts.next_to = f'id:{window.id}'
+    # We ignore env vars as some editors execute code present in env vars such as VIMINIT
+    c.opts.env = ()
    w = launch(get_boss(), c.opts, cmdline)
    if w is not None:
        c.source_window_id = window.id