Re: [hackers] [st][PATCH] in bracketed paste mode, filter escapes from pasted data

From: Hiltjo Posthuma <hiltjo_AT_codemadness.org>
Date: Fri, 3 Nov 2017 00:13:07 +0100

On Thu, Nov 02, 2017 at 10:42:05PM +0100, Jann Horn wrote:
> Browsers permit copied data to contain escape characters. To prevent
> malicious websites (or other sources of malicious text) from faking a
> bracketed paste end sequence, filter escape characters from pasted text in
> bracketed paste mode.
>
> xterm unconditionally filters out a bunch of control characters, including
> \033, in pasted data (see removeControls() in button.c in the xterm
> sources), so I think that this change should be fine from a compatibility
> standpoint.
> ---
> LICENSE | 1 +
> x.c | 22 ++++++++++++++++++++--
> 2 files changed, 21 insertions(+), 2 deletions(-)
>
> diff --git a/LICENSE b/LICENSE
> index fa0c63e..ce7ee42 100644
> --- a/LICENSE
> +++ b/LICENSE
> _AT_@ -11,6 +11,7 @@ MIT/X Consortium License
> 2013 Michael Forney <mforney at mforney dot org>
> 2013-2014 Markus Teich <markus dot teich at stusta dot mhn dot de>
> 2014-2015 Laslo Hunhold <dev at frign dot de>
> + 2017 Google LLC
>
> Permission is hereby granted, free of charge, to any person obtaining a
> copy of this software and associated documentation files (the "Software"),
> diff --git a/x.c b/x.c
> index 191e5dc..5e9efce 100644
> --- a/x.c
> +++ b/x.c
> _AT_@ -318,7 +318,7 @@ selnotify(XEvent *e)
> {
> ulong nitems, ofs, rem;
> int format;
> - uchar *data, *last, *repl;
> + uchar *data, *last, *repl, *readpos;
> Atom type, incratom, property;
>
> incratom = XInternAtom(xw.dpy, "INCR", 0);
> _AT_@ -385,9 +385,27 @@ selnotify(XEvent *e)
> *repl++ = '\r';
> }
>
> + /*
> + * In bracketed paste mode, we mark the pasted data by adding
> + * escape sequences around it (see below), but we also want to
> + * prevent the pasted data from prematurely signaling an end
> + * of paste. Therefore, strip escape characters from the
> + * pasted data.
> + */
> + if (IS_SET(MODE_BRCKTPASTE)) {
> + readpos = data;
> + repl = data;
> + while (readpos < last) {
> + if (*readpos != '\033')
> + *repl++ = *readpos;
> + readpos++;
> + }
> + last = repl;
> + }
> +
> if (IS_SET(MODE_BRCKTPASTE) && ofs == 0)
> ttywrite("\033[200~", 6);
> - ttysend((char *)data, nitems * format / 8);
> + ttysend((char *)data, last - data);
> if (IS_SET(MODE_BRCKTPASTE) && rem == 0)
> ttywrite("\033[201~", 6);
> XFree(data);
> --
> 2.15.0.403.gc27cc4dac6-goog
>
>

This seems too specific to me (the browser use-case). It won't be applied.

-- 
Kind regards,
Hiltjo
Received on Fri Nov 03 2017 - 00:13:07 CET

This archive was generated by hypermail 2.3.0 : Fri Nov 03 2017 - 00:24:19 CET