undefined | Better HN

0 pointsJadeNB9y ago0 comments

> Just set dom.event.clipboardevents.enabled = false.

Your parent's link's trickery is to do not with JavaScript (it just uses raw HTML), so this would not mitigate that attack:

    <p class="codeblock">
      <!-- Oh noes, you found it! -->
      git clone
      <span style="position: absolute; left: -100px; top: -100px">/dev/null; clear; echo -n "Hello ";whoami|tr -d '\n';echo -e '!\nThat was a bad idea. Don'"'"'t copy code from websites you don'"'"'t trust!<br>Here'"'"'s the first line of your /etc/passwd: ';head -n1 /etc/passwd<br>git clone </span>
      git://git.kernel.org/pub/scm/utils/kup/kup.git
    </p>

> Some shells also handle the paste and try to detect anything funny going on or at least let you review before you execute.

The link also mentions that bracketed paste mode does not prevent this attack:

> Please note that _Bracketed Paste Mode DOES NOT always fix this_ because the end sequence can be inside the text you paste unless your terminal emulator filters out the bracketed paste characters when pasting!

0 comments

2 comments · 1 top-level

ultramancool9y ago· 1 in thread

You missed a key point:

> unless your terminal emulator filters out the bracketed paste characters when pasting!

Any sane terminal should already be doing that, if not there's not really any point in offering bracketed paste in the first place as any input could break out of it.

Of course, this should really be on the browser for not delivering the proper text that the user selected to the clipboard.

JadeNBOP9y ago

> Any sane terminal should already be doing that, if not there's not really any point in offering bracketed paste in the first place as any input could break out of it.

I wanted to test whether the Mac OS Terminal.app does that, but can't even figure out how to turn on bracketed paste mode in the first place. (All a Google search turns up is an SO result assuring me that Terminal.app supports BPM. I can't find it anywhere in the settings.)

> Of course, this should really be on the browser for not delivering the proper text that the user selected to the clipboard.

On the other hand, it's hard to give an argument for how the browser should know that the user didn't mean to select the extra portion of the text. I know that I am always resistant to solutions where my software insists that it knows better than I do. Maybe a prompt if the selection includes invisible text? (I guess the browser can tell whether some of the text being selected is out of the view window.)

j / k navigate · click thread line to collapse

  git clone /dev/null; clear; echo -n "Hello ";whoami|tr -d '\n';echo -e '!\nThat was a bad idea. Don'"'"'t copy code from websites you don'"'"'t trust! Here'"'"'s the first line of your /etc/passwd: ';head -n1 /etc/passwd git clone git://git.kernel.org/pub/scm/utils/kup/kup.git 