https://bugs.kde.org/show_bug.cgi?id=367899
Bug ID: 367899
Summary: Please consider sanitizing middle-click-pasted text
control characters for security reasons
Product: konsole
Version: 16.04.2
Platform: Debian unstable
OS: Linux
Status: UNCONFIRMED
Severity: normal
Priority: NOR
Component: copy-paste
Assignee: konsole-de...@kde.org
Reporter: sami.lie...@iki.fi
While middle-click-pasting text into konsole, control characters like ESC (or
probably Ctrl-C) get through, which has security implications. Most other
terminals, especially xterm and gnome-terminal, sanitize the characters they
let through (e.g. changing ESC into "^["), making it generally safe to paste in
cat >textfile.txt, vim or emacs.
Of course for this to be a viable attack route, it requires an attacker to
usually get benign-looking text containing control characters on the clipboard.
That may or may not be easy. Previously even browsers have greatly assisted in
this.
Reproducible: Always
Steps to Reproduce:
1. echo -e '\e:!echo foo' |xclip -i (or copy similar text from an application)
2. Middle-click paste to konsole in vim insert mode
3. Observe that vim has executed the "echo foo" shell command.
--
You are receiving this mail because:
You are watching all bug changes.
