[konsole] [Bug 367899] New: Please consider sanitizing middle-click-pasted text control characters for security reasons

[Sami Liedes via KDE Bugzilla]

https://bugs.kde.org/show_bug.cgi?id=367899

            Bug ID: 367899
           Summary: Please consider sanitizing middle-click-pasted text
                    control characters for security reasons
           Product: konsole
           Version: 16.04.2
          Platform: Debian unstable
                OS: Linux
            Status: UNCONFIRMED
          Severity: normal
          Priority: NOR
         Component: copy-paste
          Assignee: konsole-devel at kde.org
          Reporter: sami.liedes at iki.fi

While middle-click-pasting text into konsole, control characters like ESC (or
probably Ctrl-C) get through, which has security implications. Most other
terminals, especially xterm and gnome-terminal, sanitize the characters they
let through (e.g. changing ESC into "^["), making it generally safe to paste in
cat >textfile.txt, vim or emacs.

Of course for this to be a viable attack route, it requires an attacker to
usually get benign-looking text containing control characters on the clipboard.
That may or may not be easy. Previously even browsers have greatly assisted in
this.

Reproducible: Always

Steps to Reproduce:
1. echo -e '\e:!echo foo' |xclip -i (or copy similar text from an application)
2. Middle-click paste to konsole in vim insert mode
3. Observe that vim has executed the "echo foo" shell command.

-- 
You are receiving this mail because:
You are the assignee for the bug.