Can't make clickable workspaces with stripActions active #125
Comments
|
The reason we strip actions is that it's trivial to create a web page A possibility would be to provide a plugin argument and let the user We discussed options involving escaping of characters, but they also The discussion was on the mailing list: (As an aside, i've never been able to reproduce the bug described I'm inclined to providing a configuration flag just for XMonadPropLog Thoughts? |
|
Hmm. I honestly don't see "Web pages with embedded malicious Providing flags for the relevant plugins to disable action-stripping on a case-by-case basis seems the safest solution, preferably coupled with documentation on how to go about securing the window-titles part of the log when actions are enabled. |
|
Is there an intended way to secure the window-titles part of the log, apart from the current "welp, no actions are allowed at all in the stdin"? For instance, does HTML-escaping the title work? |
|
No, there's currently no escaping implemented. I'm surely missing |
|
Well, the title would necessarily be escaped in the window manager, probably by encoding it in HTML entities. xmobar would then have to render Does dzen2 have any way to check for or avoid this particular security hole, which would I imagine be equally applicable to its formatting language? Edit: Turns it it does. There's a |
The bit that worries me about that is that some people won't take the But perhaps we could have an |
|
That seems legitimate. The combination of:
should be sufficient to allow this feature without opening a security hole. (I expect xmonad-contrib would soon gain an |
I was thinking that, when the flag is off, "harmless" markup such as |
|
Sure, that's reasonable (and how it works currently anyway). The "unsafe" StdinReader setup would just enable |
|
A bit annoyingly, the only lightweight Haskell package for HTML-encoding I'm thinking of just decoding |
|
Huh, I'd expected there to be a usable HTML-encoder available, but hadn't actually checked whether this was indeed the case. For doing it manually, it'd be necessary to deal with both |
Yes. Another possibility, if we're going to provide our own manual |
|
Ah, yes, that'd work too. Should be easy both to encode and decode, for that matter. It'd incidentally be remarkably similar to how dzen handles this problem (escaping its |
|
Incidentally, for what it's worth, I just actually tried to attack myself through this security vector. I made an HTML file: <title><action=xclock>EEEEVIL</action></title>And found that, although other actions in my StdinReader are working (I've simply removed the Thinking it might be related to the <title><action=xclock>EEEEVIL</action></title>And this still didn't start an xclock when clicked! I have no special escaping logic in my XMonad configuration; all I do for It seems like the browsers themselves are already escaping or stripping stuff from the window title before it's passed on to X, or something along those lines? (I tried in Firefox, Chromium, and uzbl, and all had the same behaviour.) If browsers indeed are already making the title safe (somehow), does this mean there isn't really a security hole in allowing actions? |
|
On Tue, Aug 20 2013, 00Davo wrote:
Didn't you try to also escape the <title><action=xclock>EEEEVIL</action></title> |
Oh, yep. I tried that too, with identical results. However, on further testing I've found that it's not the browsers doing whatever weird escaping is happening, because I just tried this: mkdir -p '<action=xclock>EVIL</action>'
cd !$The window title shows the current directory as |
|
Oh. That's what's going on, okay. Turns out that at least the darcs version of xmonad-contrib has another PP field called Sorry to have led us on that little wild-goose chase there. |
|
OK... to double check, i just tried with my setup (where the title |
|
Yep, guess so. Escaping |
|
I've created a pull request that creates a new plugin to address this, see #126. It was a quick hack just to get clickable workspaces working on my environment. |
changes from Release notes:
## Version 0.19 (October 27, 2013)
As of this release, the old bug tracker at Google code is deprecated.
Please use [Github's tracker] for new bugs.
_New features_
- New monitor `BatteryN`, a variant of `BatteryP` that lets you
specify the name of the monitor in the template.
- Support for configuration file living in `XDG_CONFIG_HOME` (see
[github #99]).
- `Com` uses safer `runInteractiveProcess` instead of spawning a
shell (David McLean). If you're using shell expansion in your
`Com` (e.g. "~/bin/script") here's a workaround: `Run Com
"/bin/bash" ["-c", "~/bin/script"]` (cf. [github #127]).
- New plugin `UnsafeStdinReader` that allows actions from stdin.
Now it's possible to have clickable workspaces!
(Thiago Negri, see [github #125]).
- New monitor configuration option (`-x` or `--nastring`) that allows
specifying what string to display when a monitor is not available
(defaulting to "N/A"). Cf. [github #119].
_Bug fixes_
- Using the width options `-w`, `-m` and `-M` in battery monitors
watts display ([github #118]).
- Using the `-d` option in `CoreTemp` ([github #115])
- Fix for systems not supporting PCRE regular expressions: we use
now BCEs, so regex-compat should be enough everywhere (see
[github #117]).
- Weather monitor: support for stations without name (Sergei
Trofimovich, [issue #65]).
[Github's tracker]: https://github.com/jaor/xmobar/issues
[github #99]: jaor/xmobar#115
[github #115]: jaor/xmobar#115
[github #117]: jaor/xmobar#117
[github #125]: jaor/xmobar#125
[issue #65]: http://code.google.com/p/xmobar/issues/detail?id=65
[github #118]: jaor/xmobar#118
[github #119]: jaor/xmobar#119
[github #127]: jaor/xmobar#127
xmobar currently strips out any
<action>invocations found in the string passed through eitherStdinReaderorXMonadPropLog, the two main ways to send workspace info from XMonad.Unfortunately, this setup makes it impossible to implement what's probably the number one use of clickable-area support (judging from dzen-based XMonad configs): clickable workspaces, such that clicking on a workspace in the statusbar switches to it.
So why does xmobar do that? What's the rationale behind 85fdac2 ? Security is one possibility, but practically all usage of these two plugins will involve only a string controlled by the end-user, i.e., the log output of their window manager. Are there other reasons to be stripping actions?
The text was updated successfully, but these errors were encountered: