Hi,
there is an issue recently (re)surfaced about being able to copy-paste
control characters into a terminal -- like pasting some text into an
opened vim might trigger arbitrary command execution (since the text
might include characters corresponding to pressing ESC, then typing
":!some-command"). The problem is not specific to vim editor, since
other characters combinations exist for other applications.
Advertising
The issue is even more dangerous since browsers don't display characters
that may cause such trouble being copy-pasted into a terminal (like
 for ESC). More details and PoC:
http://www.openwall.com/lists/oss-security/2018/03/05/2
I know rxvt-unicode doesn't use VTE library, but it had the same problem
and it's patched now: https://bugzilla.gnome.org/show_bug.cgi?id=753197
I've prepared a similar patch. The filtering is made optional and it's
controlled via a dedicated resource setting.
Alexander Sergeyev (1):
add option to filter control characters on paste
src/optinc.h | 1 +
src/rsinc.h | 1 +
src/screen.C | 63 ++++++++++++++++++++++++++++++++++++++++++++-----
src/xdefaults.C | 1 +
4 files changed, 60 insertions(+), 6 deletions(-)
--
2.17.0
_______________________________________________
rxvt-unicode mailing list
rxvt-unicode@lists.schmorp.de
http://lists.schmorp.de/mailman/listinfo/rxvt-unicode
