While middle-click-pasting text into konsole, control characters like ESC (or probably Ctrl-C) get through, which has security implications. Most other terminals, especially xterm and gnome-terminal, sanitize the characters they let through (e.g. changing ESC into "^["), making it generally safe to paste in cat >textfile.txt, vim or emacs. Of course for this to be a viable attack route, it requires an attacker to usually get benign-looking text containing control characters on the clipboard. That may or may not be easy. Previously even browsers have greatly assisted in this. Reproducible: Always Steps to Reproduce: 1. echo -e '\e:!echo foo' |xclip -i (or copy similar text from an application) 2. Middle-click paste to konsole in vim insert mode 3. Observe that vim has executed the "echo foo" shell command.
gnome-terminal fixed this only about a year ago. Tracking bug (with hopefully some additional useful information): https://bugzilla.gnome.org/show_bug.cgi?id=753197
Thanks
Maybe showing the text being pasted with a warning would suffice. What do you think?
You mean that instead of silently dropping control characters, Konsole would open a popup window showing the entire pasted text with control characters visible and ask if you want to paste it? I guess that would kind of solve the security problem, though I note that the text being pasted may be quite long for a popup (I don't know what the maximum size is, but I think at least hundreds of thousands of bytes is possible), and the malicious part could be hidden in the middle. Do you think someone relies on being able to paste control characters? I guess it's entirely possible.
Already implemented a long time ago, this bug is probably a duplicate. (Noticed it because somehow a regression has sneaked in and Konsole has started warning about newlines as control characters, not newlines...).