oss-sec mailing list archives
Re: with firefox on X11, any page can pastejack you anytime
From: Sam Bull <9m199i () sambull org>
Date: Thu, 19 Oct 2023 18:17:00 +0100
On Thu, 2023-10-19 at 18:45 +0200, Steffen Nurpmeso wrote:
Sam Bull wrote in <d85658c838a1338c829cee30fb9c344688a2a470.camel () sambull org>: |On Wed, 2023-10-18 at 13:25 -0500, Grant Taylor wrote: |> I think that this is more a problem with X11 security than it is a |> problem specific to Mozilla / Firefox. | |Also a problem with shell security. If you paste something with line \ |breaks into bash, it |executes them. If you paste the same into fish, it doesn't (it'll display \ |the multi-line |input and expect you to hit the enter key to execute it as a command). That is plain not true
OK, the behaviour on my terminal is completely different depending solely on which shell I use: s@s-laptop ~> bash s@s-laptop:~$ That is plain not true, but depends on the "bracketed paste" mode Command 'That' not found, did you mean: command 'phat' from deb phat-utils (1.5-3build2) command 'chat' from deb ppp (2.4.7-2+4.1ubuntu5.1) command 'jhat' from deb openjdk-8-jdk-headless (8u382-ga-1~20.04.1) Try: sudo apt install <deb name> s@s-laptop:~$ of readline which in turn depends on the terminal (emulator) and bash: syntax error near unexpected token `(' s@s-laptop:~$ likely even upon the ncurses library. likely: command not found s@s-laptop:~$ See bash(1) (Readline Variables, enable-bracketed-paste, default bash: syntax error near unexpected token `(' s@s-laptop:~$ on). Btw Mr. Dickey (ncurses, xterm, vile, etc) has an bash: syntax error near unexpected token `)' s@s-laptop:~$ fish s@s-laptop ~> That is plain not true, but depends on the "bracketed paste" mode of readline which in turn depends on the terminal (emulator) and likely even upon the ncurses library. See bash(1) (Readline Variables, enable-bracketed-paste, default on). Btw Mr. Dickey (ncurses, xterm, vile, etc) has an informative page on this:
That observation may be outdated. At least my bash 5.2.15 on Debian
Yes, I'm on an older release still, so maybe it has been fixed in the past 3 or so years.
Attachment:
signature.asc
Description: This is a digitally signed message part
Current thread:
- with firefox on X11, any page can pastejack you anytime turistu (Oct 17)
- Re: with firefox on X11, any page can pastejack you anytime Michael Orlitzky (Oct 18)
- Re: with firefox on X11, any page can pastejack you anytime Grant Taylor (Oct 18)
- Re: with firefox on X11, any page can pastejack you anytime Michael Orlitzky (Oct 18)
- Re: with firefox on X11, any page can pastejack you anytime Grant Taylor (Oct 18)
- Re: with firefox on X11, any page can pastejack you anytime Michael Orlitzky (Oct 18)
- Re: with firefox on X11, any page can pastejack you anytime Jan Engelhardt (Oct 18)
- Re: with firefox on X11, any page can pastejack you anytime Michael Orlitzky (Oct 18)
- Re: with firefox on X11, any page can pastejack you anytime Sam Bull (Oct 19)
- Re: with firefox on X11, any page can pastejack you anytime Steffen Nurpmeso (Oct 19)
- Re: with firefox on X11, any page can pastejack you anytime Sam Bull (Oct 19)
- Re: with firefox on X11, any page can pastejack you anytime Jeremy Stanley (Oct 19)
- Re: with firefox on X11, any page can pastejack you anytime Turistu (Oct 19)
- Re: with firefox on X11, any page can pastejack you anytime David Leadbeater (Oct 20)
- Re: with firefox on X11, any page can pastejack you anytime David Leadbeater (Oct 20)
- Re: with firefox on X11, any page can pastejack you anytime nightmare . yeah27 (Oct 20)
- Re: Re: with firefox on X11, any page can pastejack you anytime Steffen Nurpmeso (Oct 20)
- Re: with firefox on X11, any page can pastejack you anytime niekt0 (Oct 19)
- Re: with firefox on X11, any page can pastejack you anytime Jeffrey Walton (Oct 19)