New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

safe-paste plugin #1698

Merged
merged 1 commit into from Apr 8, 2013

Conversation

Projects
None yet
6 participants
@ConradIrwin
Contributor

ConradIrwin commented Apr 8, 2013

Pasting into a terminal can be dangerous (see http://thejh.net/misc/website-terminal-copy-paste). I certainly do it accidentally all the time.

Luckily many terminal emulators can indicate to their containing programs when pasting is happening. This plugin (shamelessly copied from http://www.zsh.org/mla/users/2011/msg00367.html) allows you to paste into zsh runnings inside xterm/urxvt/iTerm2 safely.

It does this by preventing any code from actually running while pasting, so you have a chance to review what was actually pasted before running it.

robbyrussell added a commit that referenced this pull request Apr 8, 2013

@robbyrussell robbyrussell merged commit ac0dddb into robbyrussell:master Apr 8, 2013

@schneckenschnabel

This comment has been minimized.

Show comment
Hide comment
@schneckenschnabel

schneckenschnabel Apr 8, 2013

somehow I can't get this to work at all, pasting is still the same as before

schneckenschnabel commented Apr 8, 2013

somehow I can't get this to work at all, pasting is still the same as before

@thejh

This comment has been minimized.

Show comment
Hide comment
@thejh

thejh Apr 8, 2013

Actually, I just remembered that someone wrote on reddit (I think) that you can embed escape sequences in HTML... and bracketed paste uses escape sequences... so this is actually not a solution. See http://thejh.net/misc/website-terminal-copy-paste (now updated) for a variant that also works on people who have safe-paste activated.

thejh commented Apr 8, 2013

Actually, I just remembered that someone wrote on reddit (I think) that you can embed escape sequences in HTML... and bracketed paste uses escape sequences... so this is actually not a solution. See http://thejh.net/misc/website-terminal-copy-paste (now updated) for a variant that also works on people who have safe-paste activated.

@thejh

This comment has been minimized.

Show comment
Hide comment
@thejh

thejh Apr 8, 2013

Well, I guess this is still useful against accidential multiline pastes.

thejh commented Apr 8, 2013

Well, I guess this is still useful against accidential multiline pastes.

@ConradIrwin

This comment has been minimized.

Show comment
Hide comment
@ConradIrwin

ConradIrwin Apr 8, 2013

Contributor

@Agony, which terminal are you using? echo $TERM.

@theTJ, nice!. I mainly use this because I've pasted totally random stuff into my terminal a bucket-load of times. BTW, you should try and make double-click to copy work.

Contributor

ConradIrwin commented Apr 8, 2013

@Agony, which terminal are you using? echo $TERM.

@theTJ, nice!. I mainly use this because I've pasted totally random stuff into my terminal a bucket-load of times. BTW, you should try and make double-click to copy work.

@thejh

This comment has been minimized.

Show comment
Hide comment
@thejh

thejh Apr 8, 2013

@ConradIrwin You mean triple-click? Hmm... I could just add a JS script to make it work for people who have JS enabled, but I don't know any way to make it work for people with JS disabled.

thejh commented Apr 8, 2013

@ConradIrwin You mean triple-click? Hmm... I could just add a JS script to make it work for people who have JS enabled, but I don't know any way to make it work for people with JS disabled.

@ConradIrwin

This comment has been minimized.

Show comment
Hide comment
@ConradIrwin

ConradIrwin Apr 8, 2013

Contributor

@thejh Yes. At least I'm safe for now then :).

Contributor

ConradIrwin commented Apr 8, 2013

@thejh Yes. At least I'm safe for now then :).

@thejh

This comment has been minimized.

Show comment
Hide comment
@thejh

thejh Apr 8, 2013

@ConradIrwin Hmm, actually... triple-clicking selects the newline in the end, so if there's a one-liner with some hidden evil stuff like this, you'd probably be affected:

git clone git://git.kernel.org/pub/scm/utils/kup/kup.git a b; evil_command

However, those who just drag the mouse to select the command would then probably often not copy the newline at the end.

thejh commented Apr 8, 2013

@ConradIrwin Hmm, actually... triple-clicking selects the newline in the end, so if there's a one-liner with some hidden evil stuff like this, you'd probably be affected:

git clone git://git.kernel.org/pub/scm/utils/kup/kup.git a b; evil_command

However, those who just drag the mouse to select the command would then probably often not copy the newline at the end.

@schneckenschnabel

This comment has been minimized.

Show comment
Hide comment
@schneckenschnabel

schneckenschnabel Apr 8, 2013

@ConradIrwin currently rxvt-unicode, but I also tried xterm, nothing. shift+insert just pastes as it always had

schneckenschnabel commented Apr 8, 2013

@ConradIrwin currently rxvt-unicode, but I also tried xterm, nothing. shift+insert just pastes as it always had

@ConradIrwin

This comment has been minimized.

Show comment
Hide comment
@ConradIrwin

ConradIrwin Apr 8, 2013

Contributor

@Agony interesting, it works for me under rxvt-unicode. Do you have the latest oh-my-zsh code? (You can get it by running upgrade_oh_my_zsh)

Contributor

ConradIrwin commented Apr 8, 2013

@Agony interesting, it works for me under rxvt-unicode. Do you have the latest oh-my-zsh code? (You can get it by running upgrade_oh_my_zsh)

@schneckenschnabel

This comment has been minimized.

Show comment
Hide comment
@schneckenschnabel

schneckenschnabel Apr 8, 2013

yeah, just updated today

schneckenschnabel commented Apr 8, 2013

yeah, just updated today

@talex5

This comment has been minimized.

Show comment
Hide comment
@talex5

talex5 Apr 9, 2013

For me, only the first paste worked. Adding this to the end of _end_paste() fixed it for me:

bindkey '^[[200~' _start_paste

Edit: Sorry, my fault. My default keymap was (implicitly) set to viins, not emacs, because my $EDITOR included the substring "vi".

talex5 commented Apr 9, 2013

For me, only the first paste worked. Adding this to the end of _end_paste() fixed it for me:

bindkey '^[[200~' _start_paste

Edit: Sorry, my fault. My default keymap was (implicitly) set to viins, not emacs, because my $EDITOR included the substring "vi".

w31 pushed a commit to w31/oh-my-zsh that referenced this pull request Apr 30, 2014

RauliL added a commit to RauliL/zshrc that referenced this pull request Jan 14, 2015

Add safe paste -plugin.
I found it from robbyrussell/oh-my-zsh#1698 and
it seems to work nicely.
@stephane-chazelas

This comment has been minimized.

Show comment
Hide comment
@stephane-chazelas

stephane-chazelas May 11, 2015

Note that this plugin is safe (at least with regards to \e[201~ in the copied text) in the default configuration of recent versions of xterm, that don't allow pasting control characters other than newline (transformed to carriage-return), backspace, carriage-return, del and tab.

There's a problem only on terminals that don't do that like gnome-terminal or older versions of xterm, or xterm configured with allowPasteControls enabled.

See http://security.stackexchange.com/a/52655 for details.

stephane-chazelas commented May 11, 2015

Note that this plugin is safe (at least with regards to \e[201~ in the copied text) in the default configuration of recent versions of xterm, that don't allow pasting control characters other than newline (transformed to carriage-return), backspace, carriage-return, del and tab.

There's a problem only on terminals that don't do that like gnome-terminal or older versions of xterm, or xterm configured with allowPasteControls enabled.

See http://security.stackexchange.com/a/52655 for details.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment