On Thu, Apr 19, 2018 at 11:40:17AM +0300, Alexander Sergeyev <sergeev...@gmail.com> wrote: > Personally, I do like the idea of doing filtering on the terminal emulator > side; the first reason is that I'm only using one terminal emulator
I am not quite sure I am convinved of the usefulness of simply filtering characters. The approach of confirm-paste seems to be much more useful - it can shield the user in the same way, but wouldn't completely inhibit the feature. Having it in a script language also makes it easier for users to tune things to their liking. > Here, the second reason -- I cannot see a reasonable use case for being able > to paste control characters (it's definitely subjective, but I'm interested The most obvious usage is to paste shell commands. I do that all the time. Less often I paste keyboard macros into interactive programs (which contain control sequences). > keeping it (again, subjective). "Close" here is relative, since some > interesting stuff might be achieved by mere TAB triggering shell > autocompletion scripts and filtering TABs is generally undesireable. But > nonetheless. I am not quite sure what the point is of a patch that filters some but not all sequences that can cause any kind of command execution. TAB either must be filtered, or the feature is useless. Basically anything that isn't \x20-\x7e must be filtered, really. In fact, if you think about it, the whole approach is pretty much futile, since, as has been pointed out before, urxvt cannot know how programs react. Many programs have shell escapes, which might or might be triggered without control characters, or the user could be tricked. That's why none of those "filtering" approaches will actually protect users - users need to a) understand what they are pasting and b) be able to see what they are pasting. As long a sprograms paste something different than what the user selects no amount of filtering will help. As such, while you might feel safe with your filtering approach, it's not really protecting you. > To sum up, I'm trying to say that it would be great to have the option. Some > users might not have any valid use case to paste control characters and some > might not even consider this to be possible. True, but the patch does not fix things for them either. At best, it will lull them into a false sense of security. It really can't be done in the terminal emulator. It's a lesson that should have been learned long ago, for example, by all these windows exploits that use filenames of the form: "trojan.jpg .scr" There as well as here, as long as the application doesn't give the user a chance to make an informed decision, the problem persists. -- The choice of a Deliantra, the free code+content MORPG -----==- _GNU_ http://www.deliantra.net ----==-- _ generation ---==---(_)__ __ ____ __ Marc Lehmann --==---/ / _ \/ // /\ \/ / schm...@schmorp.de -=====/_/_//_/\_,_/ /_/\_\ _______________________________________________ rxvt-unicode mailing list rxvt-unicode@lists.schmorp.de http://lists.schmorp.de/mailman/listinfo/rxvt-unicode