Christian Brabandt wrote:

> Bram,
> There was a problem about pasting special terminal chars reported at
> Initially I thought that bracketed-paste mode will prevent such things, 
> but it seems this still works. Is there anything Vim can do to prevent 
> such things (at least when pasting in bracketed paste mode)?
> Here is a copy of the beginning of the message (until the Vim poc):
> ---- ----
> Hello,
> When pasting characters into several terminal emulators, control
> characters are allowed. This turns to be a security problem, due to the
> fact that when pasting these characters into terminal text editors, such
> as vi/vim, emacs, nano, etc., remote code execution is possible.
> This is supposed to be fixed in recent versions of VTE [3], which means
> VTE-based terminal emulators should be safe, but the problem is that
> most distros are shipping older versions and remain vulnerable.
> Here's a list of terminal emulators I tested this where it worked. Some
> came by default in my distro (debian), others were installed via
> apt-get. This should also work on other distros:
> LXTerminal
> rxvt
> urxvt
> putty
> gnome-terminal
> Konsole
> Guake
> Yakuake
> tilda
> Terminator
> xfce4-terminal
> Terminology
> ROXTerm
> sakura
> lilyterm
> Eterm
> aterm
> mrxvt
> pterm
> Please, update VTE and check if the below still works. For the others
> that aren't based on VTE, CVEs should be assigned to each of them. Can
> someone help me figure out which ones are based on VTE and those that
> aren't?
> To reproduce using vi/vim, create an html with the following command:
> $ printf '<html>something;&#27;:!id<br>a</html>' > poc.html
> Open the poc.html in a browser, select and copy the text that is
> presented, and paste it into vi/vim in insert mode. The command "id"
> should then be executed.
> This works because pasting "&#27;" is allowed, wich is the "escape". By
> pressing "escape" in insert mode, it is possible to go back to default
> mode, and by using the exclamation mark (!) it is possible to execute
> arbitrary commands.
> [...]
> ----------------------------

I cannot reproduce this in xterm or gnome-terminal.  Using Chrome as the
browser.  With normal paste the Esc is inserted as a character.  When
pasting with Shift pressed the Esc is stripped.

