seeseemelk/cool-retro-term
1
0
Fork 0
Code Issues 449 Pull Requests 12 Actions Packages Projects Releases 8 Wiki Activity

Security hole with the paste command #329

New Issue
Open
opened 2017-01-21 21:37:37 +01:00 by mardukbp · 2 comments
mardukbp commented 2017-01-21 21:37:37 +01:00 (Migrated from github.com)
Copy Link

As pointed out here copying and pasting a seemingly inoffensive ls -l from a website can result in serious harm to your data.

The problem is that a trailing newline character is interpreted as RET resulting in immediate execution of the shell command. A possible defense against this attack is to use a shell that supports bracketed paste.

This works well in e.g. Gnome Terminal, but not in cool-retro-term.

--- Want to back this issue? **[Post a bounty on it!](https://www.bountysource.com/issues/41197109-security-hole-with-the-paste-command?utm_campaign=plugin&utm_content=tracker%2F479407&utm_medium=issues&utm_source=github)** We accept bounties via [Bountysource](https://www.bountysource.com/?utm_campaign=plugin&utm_content=tracker%2F479407&utm_medium=issues&utm_source=github).
As pointed out [here](http://lifepluslinux.blogspot.de/2017/01/look-before-you-paste-from-website-to.html) copying and pasting a seemingly inoffensive `ls -l` from a website can result in serious harm to your data. The problem is that a trailing newline character is interpreted as `RET` resulting in immediate execution of the shell command. A possible defense against this attack is to use a shell that supports [bracketed paste](https://www.gnu.org/software/bash/manual/html_node/Readline-Init-File-Syntax.html#index-enable_002dbracketed_002dpaste). This works well in e.g. Gnome Terminal, but not in cool-retro-term. <bountysource-plugin> --- Want to back this issue? **[Post a bounty on it!](https://www.bountysource.com/issues/41197109-security-hole-with-the-paste-command?utm_campaign=plugin&utm_content=tracker%2F479407&utm_medium=issues&utm_source=github)** We accept bounties via [Bountysource](https://www.bountysource.com/?utm_campaign=plugin&utm_content=tracker%2F479407&utm_medium=issues&utm_source=github). </bountysource-plugin>
j3pic commented 2019-09-03 23:41:58 +02:00 (Migrated from github.com)
Copy Link

iTerm2 supports bracketed paste, and it's a nightmare. If I run Vim on a remote machine and lose the connection, from then on all pastes result in escape sequences being dumped to the terminal.

Bracketed paste also fails when you paste into things that aren't meant to be used interactively.

If you implement this, please have an option to turn bracketed pasting off.

iTerm2 supports bracketed paste, and it's a nightmare. If I run Vim on a remote machine and lose the connection, from then on all pastes result in escape sequences being dumped to the terminal. Bracketed paste also fails when you paste into things that aren't meant to be used interactively. If you implement this, please have an option to turn bracketed pasting off.
j3pic commented 2020-02-10 05:14:59 +01:00 (Migrated from github.com)
Copy Link

Apparently cool-retro-term actually does implement bracketed paste mode, and offers no way to disable it. I've been having problems with the following workflow:

  1. Copy some text from a GUI program.
  2. cat > /tmp/some-file on my Mac. I paste the text into cool-retro-term using shift-Cmd-V (shift is required with Cmd, even though it shouldn't be because Cmd is distinct from Ctrl, but that's a separate issue)
  3. scp /tmp/some-file to another machine.

When I paste the text, since cat is not an interactive program that is aware of bracketed pasting, I end up seeing ^[[200~ at the beginning of the pasted text, and ^[[201~ at the end. I end up having to open the file in an editor (exactly the step I was trying to avoid) to manually delete the escape codes.

This is exactly the nightmare I was anticipating. It's only taken me this long to run into it because I use Cathode far more than Cool-Retro-Term and it doesn't implement this problem "feature".

And I couldn't even evaluate if bracketed pasting solved the security issue because changes to Chrome prevent the hack demonstrated here from working.

Apparently cool-retro-term actually does implement bracketed paste mode, and offers no way to disable it. I've been having problems with the following workflow: 1. Copy some text from a GUI program. 2. `cat > /tmp/some-file` on my Mac. I paste the text into cool-retro-term using shift-Cmd-V (shift is required with Cmd, even though it shouldn't be because Cmd is distinct from Ctrl, but that's a separate issue) 3. `scp /tmp/some-file` to another machine. When I paste the text, since `cat` is not an interactive program that is aware of bracketed pasting, I end up seeing `^[[200~` at the beginning of the pasted text, and `^[[201~` at the end. I end up having to open the file in an editor (exactly the step I was trying to avoid) to manually delete the escape codes. This is exactly the nightmare I was anticipating. It's only taken me this long to run into it because I use Cathode far more than Cool-Retro-Term and it doesn't implement this problem "feature". And I couldn't even evaluate if bracketed pasting solved the security issue because changes to Chrome prevent the hack demonstrated [here](http://lifepluslinux.blogspot.de/2017/01/look-before-you-paste-from-website-to.html) from working.
Sign in to join this conversation.
No Branch/Tag Specified
Branches Tags
Labels
Clear labels
bounty
bug
duplicate
enhancement
help wanted
invalid
priority
high
priority
low
question
wontfix
No Label
Milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
seeseemelk
No Assignees
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: seeseemelk/cool-retro-term#329
No description provided.
Delete Branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?