Created attachment 150428 [details] Screencast of execution SUMMARY Konsole protects from middle-click paste by not immediately executing anything ... unless it is pasted, while a GUI process is open. STEPS TO REPRODUCE 1. copy text "echo hello world" including a trailing newline character from an editor 2. go to konsole and open glxgears 3. paste the text into konsole with a single middle-click 4. exit glxgears OBSERVED RESULT The echo is executed once glxgears returns. EXPECTED RESULT The pasted text, even if multiline should be places in the line-editors buffer and highlighted yellow, same as it does, when no glxgears is running in foreground. SOFTWARE/OS VERSIONS Operating System: Kubuntu 22.04 KDE Plasma Version: 5.24.4 KDE Frameworks Version: 5.92.0 Qt Version: 5.15.3 Kernel Version: 5.15.0-40-generic (64-bit) Graphics Platform: X11 Processors: 8 × Intel® Core™ i7-4700MQ CPU @ 2.40GHz Memory: 15.5 GiB of RAM Graphics Processor: Mesa Intel® HD Graphics 4600 ADDITIONAL INFORMATION
The protection from execution is done via a protocol between the application or shell and the terminal emulator called bracketed paste. The shell or application has to request bracketed paste for it to work. For backwards compatibility, your shell (bash/zsh/...) is disabling bracketed paste prior to executing a program, because the executed program may not understand bracketed paste at all. If the program understands bracketed paste (e.g. vim), it's then its responsability to enable it. glxgears doesn't understand bracketed paste (or even paste) at all, so bracketed paste mode will be disabled while glxgears is running.
OK, so this bracketed paste shall prevent immediate execution of pasted text. Pasting into an application like an editor, that does not understand this protocol, seems to be fine, as it will most likely not execute commands. So disabling the protection seems reasonable. As we see, some programs like glxgears ignore console input all together and only dump a few messages out. That is also unproblematic - still no one is executing the stuff. Now, here is the catch: After the program exits, the shell e.g. bash should re-enable the bracketed paste protocol. How come, they don't wipe out the buffers and instead run what is left in there? Isn't this still a security hole?
reported to bash also: https://savannah.gnu.org/support/index.php?110686