cc'ing the list again, since my reply has Timo's code formatted in a more
readable & useful way-

On Wed, Mar 8, 2017 at 1:58 AM, ToddAndMargo <> wrote:

> Are you saying that someone could go into a module, alter the code,
> then catch a root level program calling the module and use it
> to wreck havoc on a system?

No, my main intent is showng that the code won't copy a string with a quote
in it, and can have unintended side effects.

Right now perhaps you don't need to copy a quote and it's all good for what
it's doing. A few years from now you might find a different use for the
module and forget about that limitation, and then spend some time debugging
when it doesn't work once in a while.

Or maybe someone else will see the thread after searching for "perl6
clipboard" & use the code in an open-source command-line tool. Then a 3rd
party decides that tool is just the thing to let their web app interact
with a back-end utility. Then a black-hat hacker looks at source, sees the
code is being used to paste a filename into some server-side tool, and
uploads a file with a quote & pipe in its name to get the webserver to
execute some commands. Stranger things happen!

But mostly, it's theoretical, and I (and Timo too I think) hope you'll
"get" what's going on behind the scenes, and know how to get input into
command-line tools safely.

This guy's module
> has the same "flaw" all over it as he is using a pipe and xclip.

That code does something to keep that flaw from happening. Try sending my
weird string though his code, and it will go in the clipboard exactly as it
ought to with no side effect.

Now the question arises, how does one write to the "clipboard"
> (not the primary) without using a pipe or xclip?

Keep using xclip, in the way Timo wrote about. He embedded it in a single
line so it looked tricky, here it is reformatted into a sub (and with
"-loops 1" removed since xclip will exit on its own when something else
writes to the clipboard, and with "say" changed to "print" so we don't add
an extra newline):

sub WriteSecondaryClipboard ( $Str ) {     # <ctrl><c>
  my $proc = run 'xclip -selection primary', :in, :out; # This runs xclip
in a background process
  $ $Str; # This pipes to xclip safely! All special chars,
even control characters, go into the xclip $proc
  $; # This sends the EOF
  $proc.out.slurp-rest(:close); # This makes sure the process isn't waiting
to write anything

WriteSecondaryClipboard "hello | touch BadFile.txt \n ls \n #Comment all
you like \n \" even a | quote is OK! \" ";

Now, I can't actually test the above, because I don't have access to a
Linux host at the moment! I mostly run on Windows! So you'll have to tell
me if that code is as good as I hope it is. (And alas I cannot run the
example you sent.)


Reply via email to