oss-sec mailing list archives

Re: with firefox on X11, any page can pastejack you anytime

From: Steffen Nurpmeso <steffen () sdaoden eu>
Date: Thu, 19 Oct 2023 18:45:04 +0200

Sam Bull wrote in
 <d85658c838a1338c829cee30fb9c344688a2a470.camel () sambull org>:
 |On Wed, 2023-10-18 at 13:25 -0500, Grant Taylor wrote:
 |> I think that this is more a problem with X11 security than it is a 
 |> problem specific to Mozilla / Firefox.
 |
 |Also a problem with shell security. If you paste something with line \
 |breaks into bash, it
 |executes them. If you paste the same into fish, it doesn't (it'll display \
 |the multi-line
 |input and expect you to hit the enter key to execute it as a command).

That is plain not true, but depends on the "bracketed paste" mode
of readline which in turn depends on the terminal (emulator) and
likely even upon the ncurses library.
See bash(1) (Readline Variables, enable-bracketed-paste, default
on).  Btw Mr. Dickey (ncurses, xterm, vile, etc) has an
informative page on this:

  https://invisible-island.net/xterm/xterm-paste64.html

 --End of <d85658c838a1338c829cee30fb9c344688a2a470.camel () sambull org>

(Not that it matters, but the MUA i maintain does not yet support
bracketed paste mode, its own yanking mechanism works only like
that though.  I will implement it for v14.10, it is in TODO.)

--steffen
|
|Der Kragenbaer,                The moon bear,
|der holt sich munter           he cheerfully and one by one
|einen nach dem anderen runter  wa.ks himself off
|(By Robert Gernhardt)

Current thread:

with firefox on X11, any page can pastejack you anytime turistu (Oct 17)
- Re: with firefox on X11, any page can pastejack you anytime Michael Orlitzky (Oct 18)
- Re: with firefox on X11, any page can pastejack you anytime Grant Taylor (Oct 18)
  - Re: with firefox on X11, any page can pastejack you anytime Michael Orlitzky (Oct 18)
    - Re: with firefox on X11, any page can pastejack you anytime Grant Taylor (Oct 18)
    - Re: with firefox on X11, any page can pastejack you anytime Michael Orlitzky (Oct 18)
    - Re: with firefox on X11, any page can pastejack you anytime Jan Engelhardt (Oct 18)
  - Re: with firefox on X11, any page can pastejack you anytime Sam Bull (Oct 19)
    - Re: with firefox on X11, any page can pastejack you anytime Steffen Nurpmeso (Oct 19)
    - Re: with firefox on X11, any page can pastejack you anytime Sam Bull (Oct 19)
    - Re: with firefox on X11, any page can pastejack you anytime Jeremy Stanley (Oct 19)
    - Re: with firefox on X11, any page can pastejack you anytime Turistu (Oct 19)
    - Re: with firefox on X11, any page can pastejack you anytime David Leadbeater (Oct 20)
    - Re: with firefox on X11, any page can pastejack you anytime David Leadbeater (Oct 20)
    - Re: with firefox on X11, any page can pastejack you anytime nightmare . yeah27 (Oct 20)
    - Re: Re: with firefox on X11, any page can pastejack you anytime Steffen Nurpmeso (Oct 20)
    - Re: with firefox on X11, any page can pastejack you anytime niekt0 (Oct 19)
    - Re: with firefox on X11, any page can pastejack you anytime Jeffrey Walton (Oct 19)
  - Re: with firefox on X11, any page can pastejack you anytime Donald Buczek (Oct 20)

(Thread continues...)