My terminal emulator (iTerm2) says “Warning: OK to paste one line ending in a newline at shell prompt?” It provides the options Paste, Paste Without Newline, and Cancel.
After selecting Paste (with newline), my shell (zsh) detects the paste and presents text at the prompt for editing as normal, including the newline, without executing it.
I don’t find it incomprehensively idiotic to allow a whole class of web applications to be possible. Any native app can “fuck with the OS clipboard” like this, so this theoretical attack can come from anywhere. Shells should (and, in some cases, seem to) be smart enough to not auto-execute on paste, without the user’s confirmation or permission.
The web is a relatively secure runtime for a lot of software that covers a lot of real needs for a lot of people.
One “safeguard” I employ is a haphazard way to prevent a spurious $ in copypasted blocks from messing with me, but I’ve started to prefer that $ because it makes me pause.
How often have there been any actual attacks with this? This always seemed highly hypothetical to me and not really something worth worrying about in the vast majority of cases.
On many platforms it won’t even be possible to do such tricks (e.g. GitHub, lobsters, Reddit, etc. where you can’t just add JS).
Also, this doesn’t work with the select/middle click copy buffer.
Are you going to take your chances, though? It doesn’t seem to me like much of an inconvenience just to paste into one’s editor first to have a look. I do this for newly visited, yet untrusted sites.
And the JS-based one may not work for select + middle click, but a similar attack can use CSS to hide text that would get included in the selection.
Why not? There is not a single documented case of a real world-attack as far as I can find, most websites people copy stuff from are trusted, most websites don’t allow arbitrary JS or CSS, and it’s actually not very convenient or economical from the attacker’s point of view (if you can fool someone in to trusting your site then you’re better off asking for credentials).
Is there a small chance? I suppose. But life is all about risk management and accepting only an absolute 0.0% of risk would mean a debilitating life.
Glad somebody mentioned this. I’ve been pasting into an editor forever (Preferably a GUI editor on my locak desktop that has zero chance if actually even getting anywhere near a shell :)
Good advice; last time this advice came up on Lobste.rs, my approach got voted down, but it’s realistic and honest: if I’m going to paste anything from an untrusted source near a command interpreter, I hit alt-v (or esc-v) to invoke a text editor (edit-command-line widget in zsh, bound in my shell) and then "+p to paste from the clipboard/selection into the text editor, where I can look at it, make sure I haven’t mis-selected text, that nothing else was happening; adjust as appropriate, and then save, which drops the edited line back in the shell line-editor, waiting for me to hit return.
It’s a tiny bit of obscure setup but having it a single keystroke away and the convenience of the other things I can do mean that it pays dividends, even if I’ve only … twice? seen something truly hinky in the results.
Bracketed paste mode in Zsh is not perfect but is a nice guard, and enabled by default these days, so if I do slip up and forget to hit esc-v first, there’s still some limited protection: belt and braces together.
I suspect an even safer is to look at the bytes in the clipboard with something like: xsel -ob | od -c. That way, nothing pasted can accidentally become an escape character for something else, and you can easily see any non-printing or control characters.
It didn’t work for me because I don’t load JS by default. I’ve gotten to where I use noscript 100% of the time. At first I couldn’t get over the added burden, but now I marvel at how we actually let web browsers load arbitrary code and run it on our machine without our permission.
Same here. But then, at some point you look over at a colleague’s screen and marvel at how much crap some sites load, and people put up with. I was looking for some information with a colleague and he found a site which showed a small rectangle with information which was decked on 3 sides with ads. I think there must’ve been 6 or 7 annoying ads surrounding the actual thing we were looking for!
His response: Oh, I don’t even notice those anymore.
Well, i use the primary selection buffer as my main clipboard, utilizing the clibboard only for long term storage. And to my knowledge, browsers cannot have an effect on that buffer (doesn’t work on the page above)
I don’t think there’s something wrong with pasting code from a website, as you have to always read carefully the code before copying/typing/… it into a shell
What is an alternative from the website owner perspective? I mean posting a picture to force everyone to type it out isn’t really accessible. May be hosting the bash command as a Gist on Github?
Native apps allow this too. For example on macOS AppKit, override -[NSText copy:] with an implementation that creates a pasteboard item with your custom content.
My terminal emulator (iTerm2) says “Warning: OK to paste one line ending in a newline at shell prompt?” It provides the options Paste, Paste Without Newline, and Cancel.
After selecting Paste (with newline), my shell (zsh) detects the paste and presents text at the prompt for editing as normal, including the newline, without executing it.
xfce4-terminal on GNU/Linux also does this: https://i.imgur.com/vOtPoVk.png
Nobody else is going to mention how incomprehensively idiotic it is that browsers allow JavaScript to fuck with the OS clipboard like this?
I don’t find it incomprehensively idiotic to allow a whole class of web applications to be possible. Any native app can “fuck with the OS clipboard” like this, so this theoretical attack can come from anywhere. Shells should (and, in some cases, seem to) be smart enough to not auto-execute on paste, without the user’s confirmation or permission.
The web is a relatively secure runtime for a lot of software that covers a lot of real needs for a lot of people.
That seems a bit unnecessarily inflammatory. “Click here to copy this text” is a feature that tons of people use and enjoy.
One “safeguard” I employ is a haphazard way to prevent a spurious
$in copypasted blocks from messing with me, but I’ve started to prefer that$because it makes me pause.My
$command:Oooh that looks like a good idea.
How often have there been any actual attacks with this? This always seemed highly hypothetical to me and not really something worth worrying about in the vast majority of cases.
On many platforms it won’t even be possible to do such tricks (e.g. GitHub, lobsters, Reddit, etc. where you can’t just add JS).
Also, this doesn’t work with the select/middle click copy buffer.
Are you going to take your chances, though? It doesn’t seem to me like much of an inconvenience just to paste into one’s editor first to have a look. I do this for newly visited, yet untrusted sites.
And the JS-based one may not work for select + middle click, but a similar attack can use CSS to hide text that would get included in the selection.
Why not? There is not a single documented case of a real world-attack as far as I can find, most websites people copy stuff from are trusted, most websites don’t allow arbitrary JS or CSS, and it’s actually not very convenient or economical from the attacker’s point of view (if you can fool someone in to trusting your site then you’re better off asking for credentials).
Is there a small chance? I suppose. But life is all about risk management and accepting only an absolute 0.0% of risk would mean a debilitating life.
Glad somebody mentioned this. I’ve been pasting into an editor forever (Preferably a GUI editor on my locak desktop that has zero chance if actually even getting anywhere near a shell :)
Seems like common sense to me.
Good advice; last time this advice came up on Lobste.rs, my approach got voted down, but it’s realistic and honest: if I’m going to paste anything from an untrusted source near a command interpreter, I hit alt-v (or esc-v) to invoke a text editor (edit-command-line widget in zsh, bound in my shell) and then
"+pto paste from the clipboard/selection into the text editor, where I can look at it, make sure I haven’t mis-selected text, that nothing else was happening; adjust as appropriate, and then save, which drops the edited line back in the shell line-editor, waiting for me to hit return.It’s a tiny bit of obscure setup but having it a single keystroke away and the convenience of the other things I can do mean that it pays dividends, even if I’ve only … twice? seen something truly hinky in the results.
Bracketed paste mode in Zsh is not perfect but is a nice guard, and enabled by default these days, so if I do slip up and forget to hit esc-v first, there’s still some limited protection: belt and braces together.
If anyone runs macOS I do something similar with macOS’ Spotlight.
Spotlight is one Cmd+Space away, paste command there, edit, select all, copy, paste on terminal.
Simple and comes installed out of the box.
I suspect an even safer is to look at the bytes in the clipboard with something like:
xsel -ob | od -c. That way, nothing pasted can accidentally become an escape character for something else, and you can easily see any non-printing or control characters.Obligatory link to bracketed paste
It didn’t work for me because I don’t load JS by default. I’ve gotten to where I use noscript 100% of the time. At first I couldn’t get over the added burden, but now I marvel at how we actually let web browsers load arbitrary code and run it on our machine without our permission.
You approximate this without JS by using invisible text. For example:
Verified just now on Google Chrome Version 86.0.4240.80.
Same here. But then, at some point you look over at a colleague’s screen and marvel at how much crap some sites load, and people put up with. I was looking for some information with a colleague and he found a site which showed a small rectangle with information which was decked on 3 sides with ads. I think there must’ve been 6 or 7 annoying ads surrounding the actual thing we were looking for!
His response: Oh, I don’t even notice those anymore.
On Linux you can get around this by using middle-click copy/paste. Still doesn’t make it a good idea…
Well, i use the primary selection buffer as my main clipboard, utilizing the clibboard only for long term storage. And to my knowledge, browsers cannot have an effect on that buffer (doesn’t work on the page above)
I don’t think there’s something wrong with pasting code from a website, as you have to always read carefully the code before copying/typing/… it into a shell
Alternatively, use common sense 2.0 gold edition. The updated version should protect you from 99.9% of script kiddos.
What is an alternative from the website owner perspective? I mean posting a picture to force everyone to type it out isn’t really accessible. May be hosting the bash command as a Gist on Github?
Looks like you can prevent the auto-execution behavior in bash with
Source: https://serverfault.com/a/1021968/416725
So maybe linking to this answer in your posts is a good solution
Native apps allow this too. For example on macOS AppKit, override
-[NSText copy:]with an implementation that creates a pasteboard item with your custom content.Another thing you can do to protect yourself is use a clipboard manager (like ClipIt on Linux) which shows what you copied and the clipboard history.