Andrew Mass wrote in
<CAEJgb2AT6noZjGGR6bDM1ZUaCLFu2KKOXXe7fWCw0rhWZWw7rg_AT_mail.gmail.com>:
|I believe bracketed paste mode was originally intended for use cases
|like text editors, but it seems like many shells are using it as well
|to differentiate typed from pasted text. One advantage of this is
|preventing commands from running automatically when pasted into the
|terminal. This seems beneficial from a security standpoint. For
|example, see:
https://thejh.net/misc/website-terminal-copy-paste
|
|st fails with the second example because the bracketed paste end
|sequence (\033[201~) is contained within the clipboard buffer (you can
|see this in the HTML source), which incorrectly signals to the shell
|an early end to bracketed paste mode, allowing the rest of the command
|to run as if typed.
|
|One seemingly simple way to prevent this would be to sanitize /
|disallow pasting buffers that contain this exact sequence. If
|bracketed paste mode is active, it seems incorrect to me to allow
|writing an "early" end sequence.
|
|I believe some other terminals take it a step further by sanitizing
|all sorts of other potentially "dangerous" characters (e.g.:
|
https://gitlab.gnome.org/GNOME/vte/-/blob/master/src/pastify.cc)
|
|Curious to hear what others' thoughts are on this, and whether a patch
|along these lines would be seen as valuable. If so, I could try to
|send one over.
Thomas Dickey as "the one" wrote about all that:
https://invisible-island.net/xterm/xterm-paste64.html
--steffen
|
|Der Kragenbaer, The moon bear,
|der holt sich munter he cheerfully and one by one
|einen nach dem anderen runter wa.ks himself off
|(By Robert Gernhardt)
Received on Sat May 10 2025 - 23:21:27 CEST