On Thu, Apr 19, 2018 at 11:40:17AM +0300, Alexander Sergeyev
<sergeev...@gmail.com> wrote:
> Personally, I do like the idea of doing filtering on the terminal emulator
> side; the first reason is that I'm only using one terminal emulator
I am not quite sure I am convinved of the usefulness of simply filtering
characters. The approach of confirm-paste seems to be much more useful - it
can shield the user in the same way, but wouldn't completely inhibit the
feature.
Having it in a script language also makes it easier for users to tune
things to their liking.
> Here, the second reason -- I cannot see a reasonable use case for being able
> to paste control characters (it's definitely subjective, but I'm interested
The most obvious usage is to paste shell commands. I do that all the
time. Less often I paste keyboard macros into interactive programs (which
contain control sequences).
> keeping it (again, subjective). "Close" here is relative, since some
> interesting stuff might be achieved by mere TAB triggering shell
> autocompletion scripts and filtering TABs is generally undesireable. But
> nonetheless.
I am not quite sure what the point is of a patch that filters some but not
all sequences that can cause any kind of command execution. TAB either
must be filtered, or the feature is useless. Basically anything that isn't
\x20-\x7e must be filtered, really.
In fact, if you think about it, the whole approach is pretty much futile,
since, as has been pointed out before, urxvt cannot know how programs react.
Many programs have shell escapes, which might or might be triggered without
control characters, or the user could be tricked.
That's why none of those "filtering" approaches will actually protect users -
users need to a) understand what they are pasting and b) be able to see what
they are pasting. As long a sprograms paste something different than what
the user selects no amount of filtering will help.
As such, while you might feel safe with your filtering approach, it's not
really protecting you.
> To sum up, I'm trying to say that it would be great to have the option. Some
> users might not have any valid use case to paste control characters and some
> might not even consider this to be possible.
True, but the patch does not fix things for them either. At best, it will
lull them into a false sense of security. It really can't be done in the
terminal emulator.
It's a lesson that should have been learned long ago, for example, by all
these windows exploits that use filenames of the form:
"trojan.jpg .scr"
There as well as here, as long as the application doesn't give the user a
chance to make an informed decision, the problem persists.
--
The choice of a Deliantra, the free code+content MORPG
-----==- _GNU_ http://www.deliantra.net
----==-- _ generation
---==---(_)__ __ ____ __ Marc Lehmann
--==---/ / _ \/ // /\ \/ / schm...@schmorp.de
-=====/_/_//_/\_,_/ /_/\_\
_______________________________________________
rxvt-unicode mailing list
rxvt-unicode@lists.schmorp.de
http://lists.schmorp.de/mailman/listinfo/rxvt-unicode
