Re: [hackers] [st][PATCH] in bracketed paste mode, filter escapes from pasted data

From: Jann Horn <jannh_AT_google.com>
Date: Mon, 6 Nov 2017 12:16:51 +0100

On Thu, Nov 2, 2017 at 11:08 PM, Devin J. Pohly <djpohly_AT_gmail.com> wrote:
> On Thu, Nov 02, 2017 at 10:42:05PM +0100, Jann Horn wrote:
>> Browsers permit copied data to contain escape characters. To prevent
>> malicious websites (or other sources of malicious text) from faking a
>> bracketed paste end sequence, filter escape characters from pasted text in
>> bracketed paste mode.
[...]
>> + while (readpos < last) {
>> + if (*readpos != '\033')
>> + *repl++ = *readpos;
>> + readpos++;
>> + }
>
> Wouldn't we need to catch U+009B too?

Ah, I didn't realize that there are actually two interesting data flows here:
The pasted data is written to the PTY master via
ttysend() -> ttywrite() -> write() ,
but if local echo is turned on, it will also be written to the screen via
ttysend() -> techo() -> tputc() ,
which involves UTF-8 decoding and removing the high bit from
control code runes, then looking for escape sequences.

So I guess I would have to add logic for blocking U+009B to ttysend(),
since doing that before UTF8 decoding occurs would be a bit ugly?
Received on Mon Nov 06 2017 - 12:16:51 CET