Hi,

there is an issue recently (re)surfaced about being able to copy-paste control characters into a terminal -- like pasting some text into an opened vim might trigger arbitrary command execution (since the text might include characters corresponding to pressing ESC, then typing ":!some-command"). The problem is not specific to vim editor, since other characters combinations exist for other applications.


The issue is even more dangerous since browsers don't display characters that may cause such trouble being copy-pasted into a terminal (like  for ESC). More details and PoC:

http://www.openwall.com/lists/oss-security/2018/03/05/2

I know rxvt-unicode doesn't use VTE library, but it had the same problem and it's patched now: https://bugzilla.gnome.org/show_bug.cgi?id=753197

I've prepared a similar patch. The filtering is made optional and it's controlled via a dedicated resource setting.

Alexander Sergeyev (1):
 add option to filter control characters on paste

src/optinc.h    |  1 +
src/rsinc.h     |  1 +
src/screen.C    | 63 ++++++++++++++++++++++++++++++++++++++++++++-----
src/xdefaults.C |  1 +
4 files changed, 60 insertions(+), 6 deletions(-)

--
2.17.0


_______________________________________________
rxvt-unicode mailing list
rxvt-unicode@lists.schmorp.de
http://lists.schmorp.de/mailman/listinfo/rxvt-unicode

Reply via email to