[Pkg-urxvt-maintainers] Bug#787628: Bracketed paste is unsafe

Marc Lehmann schmorp at schmorp.de
Wed Jun 17 10:49:13 UTC 2015 

Hi!

This bugreport is unsound for a variety of reasons.

First of all, the safety is not the same as security, and the bracketed
paste mode is not a means for security (for a variety of subreasons, the
main being that pasting a _shell_ command that contains data that the user
doesn't know is insecure with or without bracketed paste mode filtering
out certain sequences).

Secondly, it's not rxvt-unicode's job to implement the security barrier
between e.g. the interwebs and your selection - if an app such as firefox
allows one to select text and then internally selects something else (as
firefox indeed does), then this is a security issue in the application
that can be tricked into putting text into the selection that the user
didn't select.

Third, even if bracketed paste mode would single out this sequence, it's
not a security feature, as the user has no feedback on whether this mode
is enabled, so cannot base her decision to paste on this mode. Advertising
bracketed paste mode as a security feature would trick users into unsafe
behaviour.

Lastly, guessing what is "safe" and what is "unsafe" in the terminal
emulator is the wrong place, as it can't know what the application
interprets. For example, the application might abort paste mode on other
sequences as well (such as ctrl-c). It's also very difficult to implement,
even if there was a list of what is to be filtered out, as the patch
shows, which doesn't manage to filter out sequences at internal borders, so
not giving the false impression that pasting is safe no matter what it
contains.

Therefore, I would suggest reassigning this to firefox or other
applications in Debian GNU/Linux that let you select one text visually,
but then offer a different text as the selection to other apps, as that is
indeed a security problem.

-- 
                The choice of a       Deliantra, the free code+content MORPG
      -----==-     _GNU_              http://www.deliantra.net
      ----==-- _       generation
      ---==---(_)__  __ ____  __      Marc Lehmann
      --==---/ / _ \/ // /\ \/ /      schmorp at schmorp.de
      -=====/_/_//_/\_,_/ /_/\_\

More information about the Pkg-urxvt-maintainers mailing list