Bug 456373 - pasted command executes after GUI-app exits
Summary: pasted command executes after GUI-app exits
Status: RESOLVED NOT A BUG
Alias: None
Product: konsole
Classification: Applications
Component: copy-paste (show other bugs)
Version: 21.12.3
Platform: Ubuntu Linux
: NOR normal
Target Milestone: ---
Assignee: Konsole Developer
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2022-07-05 23:14 UTC by Holger
Modified: 2022-07-11 19:58 UTC (History)
1 user (show)

See Also:
Latest Commit:
Version Fixed In:


Attachments
Screencast of execution (1.43 MB, video/ogg)
2022-07-05 23:14 UTC, Holger
Details

Note You need to log in before you can comment on or make changes to this bug.
Description Holger 2022-07-05 23:14:30 UTC
Created attachment 150428 [details]
Screencast of execution

SUMMARY

Konsole protects from middle-click paste by not immediately executing anything ... unless it is pasted, while a GUI process is open.


STEPS TO REPRODUCE
1. copy text "echo hello world" including a trailing newline character from an editor
2. go to konsole and open glxgears
3. paste the text into konsole with a single middle-click
4. exit glxgears

OBSERVED RESULT

The echo is executed once glxgears returns.

EXPECTED RESULT

The pasted text, even if multiline should be places in the line-editors buffer and highlighted yellow, same as it does, when no glxgears is running in foreground.

SOFTWARE/OS VERSIONS

Operating System: Kubuntu 22.04
KDE Plasma Version: 5.24.4
KDE Frameworks Version: 5.92.0
Qt Version: 5.15.3
Kernel Version: 5.15.0-40-generic (64-bit)
Graphics Platform: X11
Processors: 8 × Intel® Core™ i7-4700MQ CPU @ 2.40GHz
Memory: 15.5 GiB of RAM
Graphics Processor: Mesa Intel® HD Graphics 4600

ADDITIONAL INFORMATION
Comment 1 ninjalj 2022-07-06 16:46:55 UTC
The protection from execution is done via a protocol between the application or shell and the terminal emulator called bracketed paste. The shell or application has to request bracketed paste for it to work.

For backwards compatibility, your shell (bash/zsh/...) is disabling bracketed paste prior to executing a program, because the executed program may not understand bracketed paste at all. If the program understands bracketed paste (e.g. vim), it's then its responsability to enable it.

glxgears doesn't understand bracketed paste (or even paste) at all, so bracketed paste mode will be disabled while glxgears is running.
Comment 2 Holger 2022-07-11 19:36:04 UTC
OK, so this bracketed paste shall prevent immediate execution of pasted text. Pasting into an application like an editor, that does not understand this protocol, seems to be fine, as it will most likely not execute commands. So disabling the protection seems reasonable.

As we see, some programs like glxgears ignore console input all together and only dump a few messages out. That is also unproblematic - still no one is executing the stuff.

Now, here is the catch: After the program exits, the shell e.g. bash should re-enable the bracketed paste protocol. How come, they don't wipe out the buffers and instead run what is left in there? Isn't this still a security hole?
Comment 3 Holger 2022-07-11 19:58:58 UTC
reported to bash also:
https://savannah.gnu.org/support/index.php?110686