Why would I bother copying and pasting the code to my clipboard when common industry practice now is just to invoke the output of curl directly?<p>ruby -e "$(curl -fsSL <a href="https://raw.github.com/mxcl/homebrew/go" rel="nofollow">https://raw.github.com/mxcl/homebrew/go</a>)
Bash and Zsh provide shortcuts to open a text editor where commands can be pasted and edited before running (Ctrl-x Ctrl-e in bash, need to enable in zsh [2]). I've been using this on Linux not for security but because I'm still confused by X11's primary and clipboard selections [1]. It seems like every time I try to paste a github repo link, I get the last chunk of code I copied and vice versa.<p>[1] <a href="http://www.nongnu.org/autocutsel/" rel="nofollow">http://www.nongnu.org/autocutsel/</a><p>[2] Sample .zshrc to map edit-command-line to Ctrl-x e:<p><pre><code> autoload edit-command-line
zle -N edit-command-line
bindkey '^Xe' edit-command-line
</code></pre>
edit: fixed shortcut for bash<p>edit: forgot about my .zshrc
Nicely done! Here's the underlying source:<p><pre><code> <p class="codeblock">
<!-- Oh noes, you found it! -->
git clone
<span style="position: absolute; left: -100px; top: -100px">/dev/null; clear; echo -n "Hello ";whoami|tr -d '\n';echo -e '!\nThat was a bad idea. Don'"'"'t copy code from websites you don'"'"'t trust!<br>Here'"'"'s the first line of your /etc/passwd: ';head -n1 /etc/passwd<br>git clone </span>
git://git.kernel.org/pub/scm/utils/kup/kup.git
</p></code></pre>
I suspect that the only way to effectively mitigate this is in the terminal application, by displaying a confirmation <i>with the pasted text</i> before accepting any multi-line[1] paste. For example here: <a href="https://code.google.com/p/iterm2/issues/detail?id=594" rel="nofollow">https://code.google.com/p/iterm2/issues/detail?id=594</a><p>[1] There may be other dangerous characters besides newlines, e.g. escape sequences. I'm not sure if it's possible to make an exhaustive list for something like Bash. Perhaps one has to guard against <i>any</i> paste?
Perhaps the real problem here is that, as noted by Ted Nelson back when the concept started to gain popularity, "[the computer clipboard is] just like a regular clipboard, except (a) you can't see it, (b) it holds only one object, (c) whatever you put there destroys the previous contents." The presented vulnerability hinges on (a), and, Glipper [1] notwithstanding, (a)-(c) is still the default behavior in every GUI I use.<p>[1] <a href="https://launchpad.net/glipper" rel="nofollow">https://launchpad.net/glipper</a>
Well... yeah, but even without hidden text, what are you going to do after you clone the repository? Probably `make` or `ruby something.rb` or any number of other commands that can run arbitrary code. If you don't trust someone, you shouldn't be trying to clone their git repo in the first place.
One of many examples by which making the web a better "application-delivery" platform makes it less secure, less reliable, less predictable and more tedious in its original role of sharing text, images and links.
I'm confused why this is even allowed by the browsers, you shouldn't be able to send something else to the clipboard. Are there any browser extensions that can 'fix' this issue?
Note: if you don't trust this, paste into a text editor!<p>It works with this CSS:<p><pre><code> position: absolute; left: -100px; top: -100px</code></pre>
Pasted result is:<p><pre><code> git clone
/dev/null; clear; echo -n "Hello ";whoami|tr -d '\n';echo -e '!\nThat was a bad idea. Don'"'"'t copy code from websites you don'"'"'t trust!
Here'"'"'s the first line of your /etc/passwd: ';head -n1 /etc/passwd
git clone git://git.kernel.org/pub/scm/utils/kup/kup.git</code></pre>
Good terminal emulators (xterm, urxvt, iTerm2, etc.) have support for "bracketed paste mode" which can be used to fix this problem in zsh: <a href="https://github.com/robbyrussell/oh-my-zsh/pull/1698" rel="nofollow">https://github.com/robbyrussell/oh-my-zsh/pull/1698</a> (original code: <a href="http://www.zsh.org/mla/users/2011/msg00367.html" rel="nofollow">http://www.zsh.org/mla/users/2011/msg00367.html</a>)<p>It's probably easy to write a similar fix for bash.
I usually put a # before anything I paste into a terminal. Mostly because I sometimes get a newline at the end, but it will disarm this behavior too. I'm not sure if it works in all situations though. Edit: Won't work! Use a heredoc (<<paste) or the editor method suggested above instead.
Actually, since I tried to copy it by triple clicking, which selects one line (at least, I expect it to. It's what sublime text does). That didn't copy any of the malicious text, and it just stopped between the clone and the url.
Wow, crazy, never really thought about this as an attack vector but it seems pretty obvious. I must confess that as a person who solves many problems by Googling I have directly pasted terminal commands from unknown websites countless times...
This is really just an extension of clickjacking - modifying the UI to trick the user into performing an undesired action. This is a pretty novel idea, and considering how many websites make use of this to slap their permalinks into copied text (albeit with flash, usually), I'm surprised this hasn't been thought of before.<p>It would be an interesting experiment to sneak a harmless command after every snippet on a site like commandlinefu.com.<p>Edit: Also while playing around, I remembered irssi actually has a defense against this. If you try pasting multiple lines, it can detect this. It presents you with a prompt asking if you really intended to paste >5 lines into the text field. I wonder if something like this could be implemented in a shell?
This is another reason I always type a '#' before copy/pasting any long commands. The main reason is that I sometimes want to edit a long copied command and sometimes a newline get caught in my 'copy'. The '#' prevents it from accidentally executing.
I mean, untarring a downloaded tarball from somewhere and running `make` is just as dangerous, right? Only there you can make sure the checksum matches, but people skip that step all the time.
Can browsers fix this behavior?<p>It seems like a security hole for many reasons.<p>The default should be to copy plain text as highlighted, and advanced right click for html based copying.
I was just thinking it might be cool to have a service that site owners could include via JS that would ensure that the content in a div is the content seen by the user. It could have a little stamp that says "Verified by SuchAndSuch" in the corner of the div. Should I try to make this? Any obvious issues? Is it worth it?
This doesn't seem like such a big deal<p>You have one of two ways to combat this:
1) always copy things to notepad first so whatever it is that you copied you can verify is what you meant to copy<p>2) Use the inspection tool of your browser to copy it from source where things can't really be hidden.<p>I usually do #1 anyway because of weird formatting and characters
Did it stop working for anyone the second time? I tried it once, and it worked (gave me the warning and first line of my /etc/passwd file). I wanted to show it to a coworker but it mysteriously stopped working. It is just copying the displayed text now. Kinda weird..<p>Using Google Chrome 26.0.1410.43 on ubuntu 12.10 64bit.
Out of interest, does anyone know of a Mac utility which will intercept the default paste shortcut and pop up a confirmation of what is going to be pasted, with a really quick interface to the previous few items that were copied to the clipboard?
There is a subtle hint that all is not well if you try to select the code using triple-click: it will only select one half at a time, suggesting it is not the one-liner it appears to be...
Yes, but not just that. It's also important to make an effort to understand what commands you are typing into your shell before typing them (Google them first if you don't know).
In bitbucket, you could simply copy paste <i>clone command in the text field</i>. Isn't text field is far more safe since there should no hidden element?
what I usually do before pasting insecure clipboard content to a terminal is that I start with a double quotes character "
Once I see the real output, I just have to remove the quotes (<ctrl-a> <del><return>)
ok, honestly, where is the ability to disable clipboard manipulation or similar techniques? Browsers need to do this. I have NEVER seen value if a website's ability to modify my clipboard.