|
Message-ID: <20231019165354.kkjoxdbedeodyfik@yuggoth.org>
Date: Thu, 19 Oct 2023 16:53:55 +0000
From: Jeremy Stanley <fungi@...goth.org>
To: oss-security@...ts.openwall.com
Subject: Re: with firefox on X11, any page can pastejack you
anytime
On 2023-10-19 17:04:10 +0100 (+0100), Sam Bull wrote:
[...]
> Also a problem with shell security. If you paste something with
> line breaks into bash, it executes them. If you paste the same
> into fish, it doesn't (it'll display the multi-line input and
> expect you to hit the enter key to execute it as a command).
That observation may be outdated. At least my bash 5.2.15 on Debian
does not execute pasted newlines, it treats it as a multi-line
command and waits for an actual enter keypress (tested inside a few
different terminal emulators including vanilla xterm, so pretty sure
it's not being mitigated at that layer).
--
Jeremy Stanley
Download attachment "signature.asc" of type "application/pgp-signature" (964 bytes)
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.