Bug 367899

Summary: Please consider sanitizing middle-click-pasted text control characters for security reasons
Product: [Applications] konsole Reporter: Sami Liedes <sami.liedes>
Component: copy-pasteAssignee: Konsole Developer <konsole-devel>
Status: RESOLVED FIXED    
Severity: normal CC: jpalecek, martin.sandsmark
Priority: NOR    
Version: 16.04.2   
Target Milestone: ---   
Platform: Debian unstable   
OS: Linux   
Latest Commit: Version Fixed In:
Sentry Crash Report:

Description Sami Liedes 2016-08-27 14:53:38 UTC 
While middle-click-pasting text into konsole, control characters like ESC (or probably Ctrl-C) get through, which has security implications. Most other terminals, especially xterm and gnome-terminal, sanitize the characters they let through (e.g. changing ESC into "^["), making it generally safe to paste in cat >textfile.txt, vim or emacs.

Of course for this to be a viable attack route, it requires an attacker to usually get benign-looking text containing control characters on the clipboard. That may or may not be easy. Previously even browsers have greatly assisted in this.

Reproducible: Always

Steps to Reproduce:
1. echo -e '\e:!echo foo' |xclip -i (or copy similar text from an application)
2. Middle-click paste to konsole in vim insert mode
3. Observe that vim has executed the "echo foo" shell command.
Comment 1 Egmont Koblinger 2016-09-10 20:41:08 UTC 
gnome-terminal fixed this only about a year ago. Tracking bug (with hopefully some additional useful information): https://bugzilla.gnome.org/show_bug.cgi?id=753197
Comment 2 Kurt Hindenburg 2016-09-17 17:12:51 UTC 
Thanks
Comment 3 Jiri Palecek 2017-02-19 19:51:44 UTC 
Maybe showing the text being pasted with a warning would suffice. What do you think?
Comment 4 Sami Liedes 2017-02-19 20:54:28 UTC 
You mean that instead of silently dropping control characters, Konsole would open a popup window showing the entire pasted text with control characters visible and ask if you want to paste it?

I guess that would kind of solve the security problem, though I note that the text being pasted may be quite long for a popup (I don't know what the maximum size is, but I think at least hundreds of thousands of bytes is possible), and the malicious part could be hidden in the middle.

Do you think someone relies on being able to paste control characters? I guess it's entirely possible.
Comment 5 Martin Sandsmark 2021-07-06 11:34:04 UTC 
Already implemented a long time ago, this bug is probably a duplicate. (Noticed it because somehow a regression has sneaked in and Konsole has started warning about newlines as control characters, not newlines...).