From mboxrd@z Thu Jan  1 00:00:00 1970
Path: news.gmane.org!not-for-mail
From: Stefan Monnier <monnier@IRO.UMontreal.CA>
Newsgroups: gmane.emacs.devel
Subject: Re: X selection access in xterm (OSC 52)
Date: Fri, 17 Apr 2015 09:52:30 -0400
Message-ID: <jwvk2xayirh.fsf-monnier+emacs@gnu.org>
References: <CAArVCkTLfs8NLp1K_LhegV9FQuqa+r4qmBmq1McnQo5z8tpMAQ@mail.gmail.com>
	<CAP_d_8VgtOVrG6V5wguo9d9ekfLtsurms4tyM3VAfPeb4ZWsvw@mail.gmail.com>
	<jwvsiefwwcs.fsf-monnier+emacs@gnu.org>
	<CAArVCkT_ukCnifP5JZCvStOGV_HKwx8RPyo8SzPzPdNw2vDWvA@mail.gmail.com>
	<jwvzj8nqacj.fsf-monnier+emacs@gnu.org>
	<CAArVCkQx4WR2v-qEy1beeNW1uemFQhLBxOOyQ7OEDD2N0x7syg@mail.gmail.com>
	<CAArVCkTPqrW3tHz0fxTRgQLeKpKonR5XOG5xCEs9bPhstYGHPg@mail.gmail.com>
	<jwv3858r26f.fsf-monnier+emacs@gnu.org>
	<CAArVCkS8ChhkDZyBC2ya2Kk5_TkD+aw3LhtUi-fQEJcCEKkrJg@mail.gmail.com>
	<CAArVCkS9cn1OaK1re2DdFZ+mjRkCFLUsRKZh876vTfkusn1+bw@mail.gmail.com>
	<jwvr3seawqb.fsf-monnier+emacs@gnu.org>
	<CAArVCkQ7OWv1krmO0EdiYd0pXTBY1qyOFKusgv9wgW+K_GWskw@mail.gmail.com>
	<jwvoamyoxwu.fsf-monnier+emacs@gnu.org>
	<CAArVCkSqRjXD-Sq3HMo0qKb2rHEz54290+kzNNbAo-WQZ0qPDw@mail.gmail.com>
	<jwvbnism63n.fsf-monnier+emacs@gnu.org>
	<jwvegnn65hf.fsf-monnier+emacs@gnu.org>
	<jwv1tjjzdez.fsf-monnier+emacs@gnu.org>
	<CAArVCkRPNOxw7UcWt5GWEiDsis1R2VsekqN3TEsUrVbSFFYdbQ@mail.gmail.com>
	<CAArVCkQcJOZAfrRheepkqWXiFD++ide+pHd_vYxJGPCvUqYx7w@mail.gmail.com>
NNTP-Posting-Host: plane.gmane.org
Mime-Version: 1.0
Content-Type: text/plain; charset=iso-8859-1
Content-Transfer-Encoding: quoted-printable
X-Trace: ger.gmane.org 1429278779 30410 80.91.229.3 (17 Apr 2015 13:52:59 GMT)
X-Complaints-To: usenet@ger.gmane.org
NNTP-Posting-Date: Fri, 17 Apr 2015 13:52:59 +0000 (UTC)
Cc: Olaf Rogalsky <olaf.rogalsky@t-online.de>,
	Emacs developers <emacs-devel@gnu.org>, Yuri Khan <yuri.v.khan@gmail.com>
To: Philipp Stephani <p.stephani2@gmail.com>
Original-X-From: emacs-devel-bounces+ged-emacs-devel=m.gmane.org@gnu.org Fri Apr 17 15:52:50 2015
Return-path: <emacs-devel-bounces+ged-emacs-devel=m.gmane.org@gnu.org>
Envelope-to: ged-emacs-devel@m.gmane.org
Original-Received: from lists.gnu.org ([208.118.235.17])
	by plane.gmane.org with esmtp (Exim 4.69)
	(envelope-from <emacs-devel-bounces+ged-emacs-devel=m.gmane.org@gnu.org>)
	id 1Yj6hM-0003aQ-9I
	for ged-emacs-devel@m.gmane.org; Fri, 17 Apr 2015 15:52:48 +0200
Original-Received: from localhost ([::1]:41504 helo=lists.gnu.org)
	by lists.gnu.org with esmtp (Exim 4.71)
	(envelope-from <emacs-devel-bounces+ged-emacs-devel=m.gmane.org@gnu.org>)
	id 1Yj6hL-0007Wv-HZ
	for ged-emacs-devel@m.gmane.org; Fri, 17 Apr 2015 09:52:47 -0400
Original-Received: from eggs.gnu.org ([2001:4830:134:3::10]:51074)
	by lists.gnu.org with esmtp (Exim 4.71)
	(envelope-from <monnier@iro.umontreal.ca>) id 1Yj6h8-0007Wc-Dq
	for emacs-devel@gnu.org; Fri, 17 Apr 2015 09:52:35 -0400
Original-Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
	(envelope-from <monnier@iro.umontreal.ca>) id 1Yj6h5-0006q2-3O
	for emacs-devel@gnu.org; Fri, 17 Apr 2015 09:52:34 -0400
Original-Received: from chene.dit.umontreal.ca ([132.204.246.20]:46258)
	by eggs.gnu.org with esmtp (Exim 4.71)
	(envelope-from <monnier@iro.umontreal.ca>) id 1Yj6h4-0006pu-Sq
	for emacs-devel@gnu.org; Fri, 17 Apr 2015 09:52:31 -0400
Original-Received: from ceviche.home (lechon.iro.umontreal.ca [132.204.27.242])
	by chene.dit.umontreal.ca (8.14.1/8.14.1) with ESMTP id t3HDqQgw011422; 
	Fri, 17 Apr 2015 09:52:27 -0400
Original-Received: by ceviche.home (Postfix, from userid 20848)
	id 197396610A; Fri, 17 Apr 2015 09:52:30 -0400 (EDT)
In-Reply-To: <CAArVCkQcJOZAfrRheepkqWXiFD++ide+pHd_vYxJGPCvUqYx7w@mail.gmail.com>
	(Philipp Stephani's message of "Fri, 17 Apr 2015 06:29:13 +0000")
User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/25.0.50 (gnu/linux)
X-NAI-Spam-Flag: NO
X-NAI-Spam-Threshold: 5
X-NAI-Spam-Score: 0
X-NAI-Spam-Rules: 1 Rules triggered
	RV5279=0
X-NAI-Spam-Version: 2.3.0.9393 : core <5279> : inlines <2742> : streams
	<1423991> : uri <1909098>
X-detected-operating-system: by eggs.gnu.org: Genre and OS details not
	recognized.
X-Received-From: 132.204.246.20
X-BeenThere: emacs-devel@gnu.org
X-Mailman-Version: 2.1.14
Precedence: list
List-Id: "Emacs development discussions." <emacs-devel.gnu.org>
List-Unsubscribe: <https://lists.gnu.org/mailman/options/emacs-devel>,
	<mailto:emacs-devel-request@gnu.org?subject=unsubscribe>
List-Archive: <http://lists.gnu.org/archive/html/emacs-devel>
List-Post: <mailto:emacs-devel@gnu.org>
List-Help: <mailto:emacs-devel-request@gnu.org?subject=help>
List-Subscribe: <https://lists.gnu.org/mailman/listinfo/emacs-devel>,
	<mailto:emacs-devel-request@gnu.org?subject=subscribe>
Errors-To: emacs-devel-bounces+ged-emacs-devel=m.gmane.org@gnu.org
Original-Sender: emacs-devel-bounces+ged-emacs-devel=m.gmane.org@gnu.org
Xref: news.gmane.org gmane.emacs.devel:185521
Archived-At: <http://permalink.gmane.org/gmane.emacs.devel/185521>

> If I understand https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=3D38459=
3,
> this functionality was disabled by default on Debian-based systems for
> security reasons.

Ah, indeed I see in "man xterm" that allowWindowOps defaults to false
and that disallowedWindowOps includes both GetSelection and SetSelection.
If I try

   xterm -xrm '*.allowWindowOps: true'

Then things work.  Yay!

I don't see why SetSelection would be a serious security issue (tho
I guess if a program does the right SetSelection at the right time, you
could end up pasting dangerous commands into a shell).
For GetSelection, the problem can show up if you view "raw data" without
going though a pager, but if your terminal is busy running Emacs you're
safe ;-)

Hmm... these WindowOps really need to be fixed.  E.g. they could require
a secret key (=E0 la xauth), so an attacker wouldn't be able to send the
right command.  But of course, that can't be fixed on Emacs's side.


        Stefan


> Philipp Stephani <p.stephani2@gmail.com> schrieb am Fr., 17. Apr. 2015 um
> 08:25 Uhr:

>> Maybe something needs to be enabled? The documentation says "These
>> controls may be disabled using the allowWindowOps resource." I'll try it
>> today.
>>=20
>> Stefan Monnier <monnier@iro.umontreal.ca> schrieb am Fr., 17. Apr. 2015
>> um 04:40 Uhr:
>>=20
>>> Is that normal?  Do you guys see the same?  I'm using Debian's "xterm"
>>> package version 312-2, for what it's worth.
>>>=20
>>>=20
>>> Stefan
>>>=20
>>>=20
>>> >>>>> "Stefan" =3D=3D Stefan Monnier <monnier@IRO.UMontreal.CA> writes:
>>>=20
>>> >>> Yes, I took a look and I'll work on integrating the paste
>>> functionality.
>>> >>> Since cut and paste are mostly independent of each other, maybe you
>>> could
>>> >>> already integrate the cut patch?
>>> >> I just installed it (after adding a ChangeLog, and although it still
>>> >> lacks an etc/NEWS entry).
>>>=20
>>> > BTW, I can't seem to make this feature work for me.  I do:
>>>=20
>>> >    emacs -Q -nw
>>> >    M-x trace-function RET xterm--set-selection RET
>>> >    C-SPC M-f M-f M-f M-w
>>> >    <go to a previously running Emacs session in GUI mode>
>>> >    C-y
>>>=20
>>> > and instead of getting the three words from *scratch*, I get whatever
>>> > was already there before in the clipboard.  Yet, the trace buffer sho=
ws
>>> > that xterm--set-selection was called alright (and edebugging it also
>>> > indicates that it seems to be doing what it should).
>>>=20
>>>=20
>>> >         Stefan
>>>=20
>>=20