You are not logged in.
And they're wrong.
Don't copypaste stuff from the internet directly into interactive shells.
It is, to quote schard, "a monumentally bad idea".
You're oc far more likely to get away w/ that from a nice dude on the bbs or stackoverflow (if there're multiple views/responses) than from reddit or, worse, 4chan or some random dudes blog.
But it is *never* safe.
I understand that after reading this thread, but I doubt it is common knowledge.
echo foo | xsel -i
and then paste (Shift+ins) into your terminal.
I don't actually have an insert key. I noticed above different kinds of paste being mentioned, so I'm not sure what's equivalent. If I copy-paste that and press enter, I just get
bash: xsel: command not found
Thanks for the information about vim.
Last edited by cfr (2023-01-09 02:19:45)
CLI Paste | How To Ask Questions
Arch Linux | x86_64 | GPT | EFI boot | refind | stub loader | systemd | LVM2 on LUKS
Lenovo x270 | Intel(R) Core(TM) i5-7200U CPU @ 2.50GHz | Intel Wireless 8265/8275 | US keyboard w/ Euro | 512G NVMe INTEL SSDPEKKF512G7L
Offline
Corresponding Debian bug report.
https://groups.google.com/g/linux.debia … 0oCUoLFNFQ
Vim's bug report
https://github.com/vim/vim/issues/11766
Apparently, this bug is already fixed in a newer version of Vim (patch 9.0.1117)
Last edited by dikei (2023-01-09 07:17:27)
Offline
But it is *never* safe
Don't be silly. It is perfectly safe if you know exactly what the command does and you use the PRIMARY to copy it. That just saves time typing and is immune to the javascipt hack, which relies on the CLIPBOARD.
Offline
The point about bracketed pasting is to catch stealth glyphs that are sneaked in there via various html shenanigans.
Ie you *believe* to exactly know what the command does, but you don't, because you don't know what you actually copied.
This is NOT limited to javascript:
https://www.bleepingcomputer.com/news/s … et-hacked/
A Reddit user also presented an alternative example of this trick that requires no JavaScript: invisible text made with HTML and CSS styling that gets copied onto your clipboard when you copy the visible portions of text:
"The problem is not just that the website can change your clipboard contents using JavaScript," explains the user, SwallowYourDreams.
"It could also just hide commands in the HTML that are invisible to the human eye, but will be copied by the computer."
Also, reality check: if you copypaste commands from the internet, that's usually because you don't exactly know what they do.
Your shell will hopefully catch that, but I'm sure you're aware what a trivial fork-bomb looked like.
How hard, do you suppose, would it be to hide that and a stray semicolon and hashtag in your garden varienty, average complex sed string?
If you copypaste stuff from the internet into an interactive shell, you allow somebody else to operate your system.
You can justify that w/ "I think this seth guy has a very trustworthy looking avatar", but it is not safe to do that.
Your browser is NOT a friendly environment.
Offline
Offline
But but but, I use w3m. So you're WRONG!
"UNIX is simple and coherent" - Dennis Ritchie; "GNU's Not Unix" - Richard Stallman
Offline
So tabby's dead?
Your browser is NOT a friendly environment.
i use w3m
--- q.e.d.
Before anyone finds this thread and freaks out:
The world isn't full of monsters.
99.999% of all times you copy stuff from a webpage, it's probably benign.
Eg. I'd be hard pressed to come up w/ a way how one could trick the clipboard within the context of the BBS (because, unlike markdown, you can't post literal html) and also too many savvy users hang out here to not, at least after a while, catch a deceptive command, call it out and flag it for deletion.
But: you need to be very aware of the security layers around you - and when they're absent.
It is therefore risky to create the habit to casually copy and paste from the internet - even in a safe™ environment.
Because those habits will stick and bite you (not gonna tell where) in the 0.001% case when pasting stuff from the internet was a *really* dumb idea.
So be cautious and mindful where, how and from whom you pick up a piece of code.
Every. Single. Time.
Offline
Actually tabby is currently on life-support due to huge API changes in wlroots 0.15->0.16 ... but tabby is my compositor, not browser (weaver is my browser project).
"UNIX is simple and coherent" - Dennis Ritchie; "GNU's Not Unix" - Richard Stallman
Offline
So… I guess we just figured that I use neither - and that being too lazy (to research it) bit me…
Offline
Is there any point in non-trivial paste-handling by terminal applications/emulators, beside fixing "copy from a browser might have injected something invisible into the buffer"?
The html shenanigans reasoning seems little more than a security failure on the browser side. That js can do the same without giving trusted feedback of the final content is even worse behaviour, again of the browser alone.
Why is the browser not warning the user that the copied (plain version of the) text is the result of very different text elements and is therefore unsafe?
Or just shows a pop-up with a single scrollable text box and a couple of buttons "yup this is what I wanted to have in my clipboard", "no, I wrongly clicked somewhere", "NO! Report the address of this page for fraudulent clipboard behaviour, and never let me visit it again"?
If the user is one that ignores a warning he does not understand, he surely would not be able to understand why the terminal is doing or asking anything more than just pasting.
Offline
I'd have all the same questions as above. This security "feature" would also prevents copying and pasting multiple commands at once which one might want to do. I say would as this "feature" has never existed on my systems. I just use xsel / wl-paste to check the contents of the buffer before posting - there's not even a need for a browser to check this either.
A security measure that's in place for something on the order of one in every thousand or so copy operations that interferes with all one thousand is a bit silly - even more so when a ounce of care from the user would prevent every problem in those one-in-one-thousand cases.
"UNIX is simple and coherent" - Dennis Ritchie; "GNU's Not Unix" - Richard Stallman
Offline
Most likely an ncurses-related issue. The latest patch of ncurses (https://lists.gnu.org/archive/html/bug- … 00020.html) stated:
+ add comment to bracketed+paste explaining that vim patch 9.0.1117 is needed for use with the updated xterm descriptions (suggested by Bram Moolenaar).
I guess the issue might be fixed when the latest vim lands in the package repository.
Offline
The origin of bracketed pasting isn't security related at all: https://cirw.in/blog/bracketed-paste
That became a thing in 2020/2021 or so.
Offline
How does that link indicate it's not security related? It seems to clearly show it is as it is a response to:
[copy-and-pasting into a terminal] can obviously be dangerous as your shell has the ability to do all kinds of things that you don’t want to happen by accident.
"UNIX is simple and coherent" - Dennis Ritchie; "GNU's Not Unix" - Richard Stallman
Offline
Sorry, https://invisible-island.net/xterm/xterm-paste64.html
Edit: I was also wrong about when this first became a security thing - despite readline defaulting to it ~2020/1, it's clearly already concerned in 2013.
Bed-time.
Last edited by seth (2023-01-09 22:37:43)
Offline
Thanks for the new link. But this history brings into doubt the relevance of bracketed paste for this thread. Apparently bracketed paste has been around for a while; this problem arose (or was revealed) only with the an update to ncurses. So perhaps it's a bug in code that implements bracketed paste, but it's not bracketed pasting itself that is the issue. Further support of this conclusion is that I apparently do not have bracketed paste in my terminal, yet I was impacted by the current problem pasting into a terminal.
"UNIX is simple and coherent" - Dennis Ritchie; "GNU's Not Unix" - Richard Stallman
Offline
The latest ncurses has also screwed up the prompt position on opening a terminal. For some god unknown reason, the prompt is now halfway down the screen. So now I have to Ctrl-l in every terminal I open because my OCD will not let me begin typing halfway down a screen...
Offline
The latest ncurses has also screwed up the prompt position on opening a terminal. For some god unknown reason, the prompt is now halfway down the screen. So now I have to Ctrl-l in every terminal I open because my OCD will not let me begin typing halfway down a screen...
I didn't see that in konsole, even without borrowing the old terminfo definitions.
CLI Paste | How To Ask Questions
Arch Linux | x86_64 | GPT | EFI boot | refind | stub loader | systemd | LVM2 on LUKS
Lenovo x270 | Intel(R) Core(TM) i5-7200U CPU @ 2.50GHz | Intel Wireless 8265/8275 | US keyboard w/ Euro | 512G NVMe INTEL SSDPEKKF512G7L
Offline
jasonwryan wrote:The latest ncurses has also screwed up the prompt position on opening a terminal. For some god unknown reason, the prompt is now halfway down the screen. So now I have to Ctrl-l in every terminal I open because my OCD will not let me begin typing halfway down a screen...
I didn't see that in konsole, even without borrowing the old terminfo definitions.
Yep, it's a urxvt thing. I haven't had the time, or the will, to dig into it.
Offline
> it's a urxvt thing
Offline
> it's a urxvt thing
Ta!
Offline
So perhaps it's a bug in code that implements bracketed paste, but it's not bracketed pasting itself that is the issue.
Since it's the terminfo that seems to trigger this and the terminfo 6.3/6.4 diffand last 6.3 patch almost exclusively tackle brackted pasting for various terminal emulators it is probably around the topic.
The debian thread claims that vim 9.0.1117 will "fix" (align to) this and independently of that, it would probably still be a good idea to test whether bracketed pasting in general still (or now) works as can be expected (and compare it w/ the toggleable readline behavior)
Offline
It's a vim issue: https://github.com/vim/vim/issues/11766
It's fixed upstream in 9.0.1117: https://github.com/vim/vim/commit/7b8db … 0e3e0a49fd
Here's the Arch vim package bug: https://bugs.archlinux.org/task/77043?p … string=vim
Testing already has 9.0.1182, fixing this: https://archlinux.org/packages/testing/x86_64/vim/
Last edited by ilf0 (2023-01-12 14:51:58)
Offline
Sorry all for not writing earlier. Was bit busy. After the update, everything seems to be fine, so I will leave things as they are. It really seems to have been a bug.
Thanks to all for the many informative replies, I did follow them, even when I was not writing.
Cheers all.
Offline