bug-gnu-emacs
[Top][All Lists]
Advanced

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

bug#36879: 26.2; OSC 52 paste in term/xterm.el not working


From: Philipp Stephani
Subject: bug#36879: 26.2; OSC 52 paste in term/xterm.el not working
Date: Thu, 15 Aug 2019 21:32:27 +0200

Am So., 4. Aug. 2019 um 11:45 Uhr schrieb Mattias Engdegård <address@hidden>:

> > I'm probably missing something obvious, but how is talking to xclip more 
> > secure than talking to the terminal emulator? Or is the "security 
> > perspective" somewhere else?
>
> It's not a problem in Emacs, but by enabling OSC 52 in your terminal, an 
> adversary might arrange for a crafted string to be sent to it which would 
> surreptitiously inject malicious data into the clipboard, or extract secrets 
> from it. The OSC 52 reply itself could cause damage under some circumstances, 
> or the attacker could just hope for the victim to paste a command into a 
> shell prompt.
>
> > Except that xclip assumes x11. Would it not make sense to support a window 
> > protocol agnostic method? By supporting OSC 52, you support whatever 
> > clipboard mechanism the terminal emulator supports.
>
> I can definitely see how OSC 52 can be useful when there is only a terminal 
> connection to the machine running Emacs, and no out-of-band conduit for the 
> clipboard. The user needs to enable it actively both in the terminal and in 
> Emacs; it cannot be used by accident.
>
> > Perhaps one could use the heavy weight solution (change quit char) when 
> > 'screen' is detected, but simply use ST in the non-screen case?
>
> The thought did cross my mind, but I thought I'd first enquire about the 
> screen usage, given that I only got it to work with screen, not tmux, and 
> then only after explicitly setting TERM.
>
> Perhaps Philipp Stephani who originally wrote the code could help us here 
> (sorry about dragging you into the discussion, Philipp). Under what 
> circumstances did you run it? (It was 4 years ago; it's understandable if you 
> don't remember much of it.)
>


I added OSC-52 support primarily to support HTerm/Chrome Secure Shell.
HTerm supports copying via OSC-52, but not pasting due to the
aforementioned security issues, cf.
https://chromium.googlesource.com/apps/libapps/+/master/nassh/doc/FAQ.md#Is-OSC-52-aka-clipboard-operations_supported.
I don't use HTerm that much any more, but OSC-52 support for copying
was definitely quite useful. Copying is not a security issue (at least
for the SSH use case) as the clipboard is always ephemeral anyway.





reply via email to

[Prev in Thread] Current Thread [Next in Thread]