sorin-ionescu
commented
10 years ago Include what? You have not linked code. Link me, and I'll have a look.
Open ldane opened 10 years ago
sorin-ionescu
commented
10 years ago Include what? You have not linked code. Link me, and I'll have a look.
ldane
commented
10 years ago sorin-ionescu
commented
10 years ago Right now, the threat of unsafe paste has been theoretical. No one has abused pastes yet. How does it eliminate the slowness of syntax highlighting?
ldane
commented
10 years ago When I paste long url, syntax highlighting process each character and prints one by one. With this zle widget, it bypasses syntax highlighting. Maybe I'm wrong, but it works for me. I just wanted to report.
fuadsaud
commented
10 years ago Wow, didn't know this was even possible.
sorin-ionescu
commented
10 years ago I'm going to sit on this until there is at least one reported attack using this method. Shells have been around for almost four decades. Shell code is targeted at computer proficient individuals, which do not easily fall victim to such an attack, and if someone did use this attack, it would be all over Hacker News and similar sites.
hagabaka
commented
9 years ago I think this provides "safety" against accidents and convenience, rather than "security" in the normal sense. It also makes the experience similar whether you paste a single line or multiple lines: you get to edit before running.
Proficient users can still accidentally press their middle mouse button or Shift-Enter, and even if the content of the clipboard doesn't contain a malicious command, it's nice to have an opportunity to cancel it. Proficient users may want to paste a few commands but edit parameters before running them.
Although, it seems trivial to use that safe-paste.zsh in zprezto, by creating a module safe-paste and renaming it to safe-paste/init.zsh.
sorin-ionescu
commented
9 years ago @hagabaka According to http://thejh.net/misc/website-terminal-copy-paste, the Oh-My-Zsh code is still exploitable.
hagabaka
commented
9 years ago @sorin-ionescu there's no such thing as 100% security, but improving it a little bit is still good. Also as the site you linked describes, the exploit works only if the terminal does not filter out the escape sequences from pasted text. It would be the terminal's job to guard against that.
However I think the more important issue here is convenience or user-friendliness. If you paste one line into the terminal, you are able to edit it before running it. However if you paste multiple lines, all except the last line will execute, without a chance to edit them. That can be inconvenient even if you trust the commands and know what you are doing, just with a normal chance of human error. safe-paste.zsh creates the same experience whether you are pasting one or multiple lines of commands.
sorin-ionescu
commented
9 years ago I'll play with it.
leoj3n
commented
8 years ago sorin-ionescu
commented
8 years ago @leoj3n Isn't that shipped with Zsh?
leoj3n
commented
8 years ago No; for me iTerm will execute pasted newlines when using Zsh installed via Homebrew on OS X until I add https://github.com/oz/safe-paste.git to my prezto as a submodule and source it like
source "${0:h}/external/safe-paste/safe-paste.plugin.zsh" at which point pasting commands containing newlines into Zsh iTerm waits for me to hit return on my own.
sorin-ionescu
commented
8 years ago @leoj3n I was speaking of bracketed-safe-paste. Isn't it shipped with Zsh?
piec
commented
8 years ago Apparently there is no need to bind ^[[200~ and ^[[201~, zsh does it by itself: https://github.com/zsh-users/zsh/commit/98687fa1dec803f041cbb5417c146d8aa5129b53#diff-68f5dc3b468fbb45182ab0e79bc3679eR1403
zsh also sends the "set/unset bracketed paste mode" automatically to the terminal when zle is triggered (visible if you set zle_bracketed_paste to visible characters like zle_bracketed_paste=('a' 'b'))
Maybe the "set/unset bracketed paste mode" are only sent by zsh to some specific terminals and not iTerm. That could explain @leoj3n issue or he may use an old version of zsh (pre 5.1).
leoj3n
commented
8 years ago Looks like some newline protection was added to iTerm five days after my Mar 1 comment:
https://gitlab.com/gnachman/iterm2/issues/1793 https://github.com/gnachman/iTerm2/commit/1805f84
I'm now using iTerm2 2.9.20160426 with zsh 5.2, without the safe-paste plugin, and pasted newlines are not being run. For this example:
echo "hi"
iTerm will throw a popup asking if I want the newline stripped. For the example from the website http://thejh.net/misc/website-terminal-copy-paste, the popup asking to remove the trailing newline does not appear, but luckily the command does not execute, it just sits on the command-line until I hit control-c or hit return.
piec
commented
8 years ago Ok, this is iTerm2 doing some extra confirmations on paste events but it doesn't seem related to "bracketed paste mode" so not related to zsh
Is there any way to include this zsh module into prezto? I already included into my own prezto fork. It fixes the unsecure paste problem mentioned here: http://thejh.net/misc/website-terminal-copy-paste and also it eliminates the slowness of syntax-highlighting.