[konsole] [Bug 372116] Feature Request: Support OSC 52 (copy to clipboard)
Pedro V
bugzilla_noreply at kde.org
Sat Aug 12 11:22:37 BST 2023
https://bugs.kde.org/show_bug.cgi?id=372116
--- Comment #23 from Pedro V <voidpointertonull+bugskdeorg at gmail.com> ---
(In reply to Wiebe Cazemier from comment #22)
> Do those concerns also apply to 'copy TO clipboard'?
Not as-is as a write-only approach can't really directly result in information
leaking, but the issues regarding unexpected new privilege still stand and I
believe those are already quite well described on the very first linked page
(mintty issue).
It's a lower hanging fruit for sure, but not low enough to just force the
functionality on everyone by default, it should start at least with an option
to enable it which defaults to being disabled.
Main point was to address the odd conclusion about local clipboard security
including possibly having clipboard history saved, even though the most
interesting use case would be programs running on different hosts which
obviously have no access to anything you mentioned.
Likely it's a good idea to look at how browsers handled this matter as there's
a clipboard web API, and foreign hosts can't just decide to fiddle with the
clipboard as for example even simple writing is limited:
"Transient user activation is required. The user has to interact with the page
or a UI element in order for this feature to work."
There's a security vs convenience trade-off here, and while ideally we could
enjoy the best of both worlds with finer grained permissions like the earlier
mentioned approach of programs not being interacted with by the user not being
allowed to use the clipboard (if not given some extra permission), that's not a
solution we'll see any soon, so have to be careful with adding new features
which come with risks unexpected by the majority of the users.
For example I used to conveniently paste multi-line snippets in some cases, but
then I switched to Konsole which supports bracketed paste mode, so my approach
stopped working which also meant that malicious multi-line clipboard payloads
became a significantly less threatening risk. It's safe by default with the
option of disabling the safety feature for possibly more convenience.
--
You are receiving this mail because:
You are the assignee for the bug.
More information about the konsole-devel
mailing list