From: Philipp Stephani <p.stephani2@gmail.com>
To: "Mattias Engdegård" <mattiase@acm.org>
Cc: "Philipp Stephani" <phst@google.com>,
"Daniel Eklöf" <daniel@ekloef.se>,
"Stefan Monnier" <monnier@iro.umontreal.ca>,
36879@debbugs.gnu.org
Subject: bug#36879: 26.2; OSC 52 paste in term/xterm.el not working
Date: Thu, 15 Aug 2019 21:32:27 +0200 [thread overview]
Message-ID: <CAArVCkT7xBRT0tYSw0_MTrC00fXo4xrHz9ER2TD+Y4U9M49ucQ@mail.gmail.com> (raw)
In-Reply-To: <5E410D26-8917-4291-8202-C28FAE1CD0B2@acm.org>
Am So., 4. Aug. 2019 um 11:45 Uhr schrieb Mattias Engdegård <mattiase@acm.org>:
> > I'm probably missing something obvious, but how is talking to xclip more secure than talking to the terminal emulator? Or is the "security perspective" somewhere else?
>
> It's not a problem in Emacs, but by enabling OSC 52 in your terminal, an adversary might arrange for a crafted string to be sent to it which would surreptitiously inject malicious data into the clipboard, or extract secrets from it. The OSC 52 reply itself could cause damage under some circumstances, or the attacker could just hope for the victim to paste a command into a shell prompt.
>
> > Except that xclip assumes x11. Would it not make sense to support a window protocol agnostic method? By supporting OSC 52, you support whatever clipboard mechanism the terminal emulator supports.
>
> I can definitely see how OSC 52 can be useful when there is only a terminal connection to the machine running Emacs, and no out-of-band conduit for the clipboard. The user needs to enable it actively both in the terminal and in Emacs; it cannot be used by accident.
>
> > Perhaps one could use the heavy weight solution (change quit char) when 'screen' is detected, but simply use ST in the non-screen case?
>
> The thought did cross my mind, but I thought I'd first enquire about the screen usage, given that I only got it to work with screen, not tmux, and then only after explicitly setting TERM.
>
> Perhaps Philipp Stephani who originally wrote the code could help us here (sorry about dragging you into the discussion, Philipp). Under what circumstances did you run it? (It was 4 years ago; it's understandable if you don't remember much of it.)
>
I added OSC-52 support primarily to support HTerm/Chrome Secure Shell.
HTerm supports copying via OSC-52, but not pasting due to the
aforementioned security issues, cf.
https://chromium.googlesource.com/apps/libapps/+/master/nassh/doc/FAQ.md#Is-OSC-52-aka-clipboard-operations_supported.
I don't use HTerm that much any more, but OSC-52 support for copying
was definitely quite useful. Copying is not a security issue (at least
for the SSH use case) as the clipboard is always ephemeral anyway.
next prev parent reply other threads:[~2019-08-15 19:32 UTC|newest]
Thread overview: 25+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-07-31 16:57 bug#36879: 26.2; OSC 52 paste in term/xterm.el not working Daniel Eklöf
2019-07-31 17:24 ` bug#36879: Daniel Eklöf
2019-08-03 11:41 ` bug#36879: 26.2; OSC 52 paste in term/xterm.el not working Mattias Engdegård
2019-08-03 11:52 ` Eli Zaretskii
2019-08-03 12:02 ` Mattias Engdegård
2019-08-03 12:08 ` Eli Zaretskii
2019-08-03 12:26 ` Mattias Engdegård
2019-08-03 13:36 ` Eli Zaretskii
2019-08-03 14:32 ` Mattias Engdegård
2019-08-03 16:59 ` Eli Zaretskii
2019-08-04 9:49 ` Mattias Engdegård
2019-08-03 13:40 ` Daniel Eklöf
2019-08-03 13:49 ` Daniel Eklöf
2019-08-03 21:00 ` Stefan Monnier
2019-08-04 8:19 ` Daniel Eklöf
2019-08-04 9:44 ` Mattias Engdegård
2019-08-04 10:32 ` Daniel Eklöf
2019-08-04 12:47 ` Stefan Monnier
2019-08-15 19:32 ` Philipp Stephani [this message]
2019-08-15 21:28 ` Mattias Engdegård
2019-08-04 12:46 ` Stefan Monnier
2019-08-04 15:59 ` Daniel Eklöf
2019-08-05 11:41 ` Mattias Engdegård
2019-08-05 16:57 ` Daniel Eklöf
2019-08-08 9:37 ` Mattias Engdegård
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
List information: https://www.gnu.org/software/emacs/
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=CAArVCkT7xBRT0tYSw0_MTrC00fXo4xrHz9ER2TD+Y4U9M49ucQ@mail.gmail.com \
--to=p.stephani2@gmail.com \
--cc=36879@debbugs.gnu.org \
--cc=daniel@ekloef.se \
--cc=mattiase@acm.org \
--cc=monnier@iro.umontreal.ca \
--cc=phst@google.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
Code repositories for project(s) associated with this public inbox
https://git.savannah.gnu.org/cgit/emacs.git
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).