From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <zsh-workers-return-35375-mason-zsh=primenet.com.au@zsh.org>
Received: (qmail 26734 invoked by alias); 3 Jun 2015 12:45:41 -0000
Mailing-List: contact zsh-workers-help@zsh.org; run by ezmlm
Precedence: bulk
X-No-Archive: yes
List-Id: Zsh Workers List <zsh-workers.zsh.org>
List-Post: <mailto:zsh-workers@zsh.org>
List-Help: <mailto:zsh-workers-help@zsh.org>
X-Seq: 35375
Received: (qmail 16841 invoked from network); 3 Jun 2015 12:45:39 -0000
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on f.primenet.com.au
X-Spam-Level: 
X-Spam-Status: No, score=-1.7 required=5.0 tests=BAYES_00,DKIM_ADSP_CUSTOM_MED,
	FREEMAIL_FROM,NML_ADSP_CUSTOM_MED,RCVD_IN_DNSWL_LOW,SPF_HELO_PASS
	autolearn=no autolearn_force=no version=3.4.0
X-Injected-Via-Gmane: http://gmane.org/
To: zsh-workers@zsh.org
From: Stephane Chazelas <stephane.chazelas@gmail.com>
Subject: Re: bracketed paste mode in xterm and urxvt
Date: Wed, 3 Jun 2015 13:43:51 +0100
Message-ID: <20150603124351.GD4767@chaz.gmail.com>
References: <BANLkTikh_-+L2W5=Yfu7h7iAe5CcpP6fxw@mail.gmail.com>
 <CAFOazAOfk=Sq-smkMGzJKO4b7jMb_1_m4vXXn8twoVA2wV55YA@mail.gmail.com>
 <55677AF5.50709@thequod.de>
 <mk9dc0$p0$1@ger.gmane.org>
 <CABZhJg_5p8BLbq82s_wVtsPdD5hVtk-cPg6fNxzbSs4Vg00SOw@mail.gmail.com>
 <mkmjfu$3h0$1@ger.gmane.org>
 <CAHYJk3T3dVdN5qDMecPAH_ALLBYNntW0QVdPMh50Lo_ULeWP6w__21110.9288772152$1433333265$gmane$org@mail.gmail.com>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
X-Complaints-To: usenet@ger.gmane.org
X-Gmane-NNTP-Posting-Host: 05448b1b.skybroadband.com
Content-Disposition: inline
In-Reply-To: <CAHYJk3T3dVdN5qDMecPAH_ALLBYNntW0QVdPMh50Lo_ULeWP6w__21110.9288772152$1433333265$gmane$org@mail.gmail.com>
User-Agent: Mutt/1.5.21 (2010-09-15)

2015-06-03 14:06:05 +0200, Mikael Magnusson:
[...]
> It's probably worth noting that 'safe-paste' is a bad name for this,
> since the pasted text can include the end-paste escape code, causing
> the rest of the paste to appear to the shell as typed by the user.
> 
> This page has an example attack against the plugin,
> https://thejh.net/misc/website-terminal-copy-paste
> 
> Hm, seems newer xterm prohibits pasting raw escape codes, so if you
> have one of those versions, you are safe.
[...]

Yes, see:

https://security.stackexchange.com/questions/39118/how-can-i-protect-myself-from-this-kind-of-clipboard-abuse/52655#52655

for details.

Note that with xterm, it's also possible to configure it
to do another safe type of bracketed paste like:

xterm -xrm 'XTerm.VT100.translations: #override Shift <KeyPress> space: insert-formatted("\033[202~%S~%s", CLIPBOARD)'

For the CLIPBOARD selection to be inserted as ^[[202~3~abc (here
upon Shift+Space).

That is with the content of the selection prefixed with its
length (in bytes)

-- 
Stephane