safe-paste plugin #1698

Merged
merged 1 commit into from Apr 8, 2013

Projects

None yet

6 participants

@ConradIrwin
Contributor

Pasting into a terminal can be dangerous (see http://thejh.net/misc/website-terminal-copy-paste). I certainly do it accidentally all the time.

Luckily many terminal emulators can indicate to their containing programs when pasting is happening. This plugin (shamelessly copied from http://www.zsh.org/mla/users/2011/msg00367.html) allows you to paste into zsh runnings inside xterm/urxvt/iTerm2 safely.

It does this by preventing any code from actually running while pasting, so you have a chance to review what was actually pasted before running it.

@robbyrussell robbyrussell merged commit ac0dddb into robbyrussell:master Apr 8, 2013
@schneckenschnabel

somehow I can't get this to work at all, pasting is still the same as before

@thejh
thejh commented Apr 8, 2013

Actually, I just remembered that someone wrote on reddit (I think) that you can embed escape sequences in HTML... and bracketed paste uses escape sequences... so this is actually not a solution. See http://thejh.net/misc/website-terminal-copy-paste (now updated) for a variant that also works on people who have safe-paste activated.

@thejh
thejh commented Apr 8, 2013

Well, I guess this is still useful against accidential multiline pastes.

@ConradIrwin
Contributor

@agony, which terminal are you using? echo $TERM.

@thetj, nice!. I mainly use this because I've pasted totally random stuff into my terminal a bucket-load of times. BTW, you should try and make double-click to copy work.

@thejh
thejh commented Apr 8, 2013

@ConradIrwin You mean triple-click? Hmm... I could just add a JS script to make it work for people who have JS enabled, but I don't know any way to make it work for people with JS disabled.

@ConradIrwin
Contributor

@thejh Yes. At least I'm safe for now then :).

@thejh
thejh commented Apr 8, 2013

@ConradIrwin Hmm, actually... triple-clicking selects the newline in the end, so if there's a one-liner with some hidden evil stuff like this, you'd probably be affected:

git clone git://git.kernel.org/pub/scm/utils/kup/kup.git a b; evil_command

However, those who just drag the mouse to select the command would then probably often not copy the newline at the end.

@schneckenschnabel

@ConradIrwin currently rxvt-unicode, but I also tried xterm, nothing. shift+insert just pastes as it always had

@ConradIrwin
Contributor

@agony interesting, it works for me under rxvt-unicode. Do you have the latest oh-my-zsh code? (You can get it by running upgrade_oh_my_zsh)

@schneckenschnabel

yeah, just updated today

@talex5
talex5 commented Apr 9, 2013

For me, only the first paste worked. Adding this to the end of _end_paste() fixed it for me:

bindkey '^[[200~' _start_paste

Edit: Sorry, my fault. My default keymap was (implicitly) set to viins, not emacs, because my $EDITOR included the substring "vi".

@RauliL RauliL added a commit to RauliL/zshrc that referenced this pull request Jan 14, 2015
@RauliL RauliL Add safe paste -plugin.
I found it from robbyrussell/oh-my-zsh#1698 and
it seems to work nicely.
0a16545
@stephane-chazelas

Note that this plugin is safe (at least with regards to \e[201~ in the copied text) in the default configuration of recent versions of xterm, that don't allow pasting control characters other than newline (transformed to carriage-return), backspace, carriage-return, del and tab.

There's a problem only on terminals that don't do that like gnome-terminal or older versions of xterm, or xterm configured with allowPasteControls enabled.

See http://security.stackexchange.com/a/52655 for details.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment