[aklug] Re: browser copy-and-paste vulnerability

On Tue, April 9, 2013 5:25 pm, Jim Gribbin wrote:
>
> On Tue, Apr 9, 2013 at 3:42 PM, barsalou <barjunk@attglobal.net> wrote:
>
>> Quoting bryanm@acsalaska.net:
>>
>> Here's a useful warning about why you might not want to copy and paste
>>> commands from a web page -- or, I imagine, from an HTML email.
>>>
>>> http://thejh.net/misc/website-terminal-copy-paste
>>>
>>
>> Am I being too narrow in my thinking or can this be thwarted by copying
>> and pasting that code into something like notepad?
>>
>> That would certainly expose any hidden code.
>>
>> Of course folks may not be thinking of that as they are copying and
>> pasting code.
>>
>
> That was kind of cute...
>
> I copied and pasted that into a notepad/text-editor screen, and Mike
> was correct. You see all the sneaky code stuff you don't want. I attempted
> copy/paste the line into a terminal on my Android device, and I didn't even
> get a chance to review the line before it executed. It just went. Of
> course, my Android tablet doesn;t use /etc/passwd, so the command failed.
>
> I will defiantly have to keep this in mind the next time I'm being lazy and
> copy/pasting commands from a web-page. Something I tend to do when I'm
> following along on how to do something I haven't done before.
>
> I do tend to think I would be curious about the nice little box w/ the
> colored background around the text...

As the linked comments point out, there are ways of getting around proposed
protections. For example, if you paste into vi, the text could include ":q!"
followed by the nasty commands. Pasting into a GUI text editor might actually
work, as long as there are no keystrokes that could provide access to a
command shell.

Or you could paste from the HTML source. You'd be able to detect any funny
business, and if everything looks okay, I don't see why it wouldn't be safe.

--
Bryan Medsker
bryanm@acsalaska.net
---------
To unsubscribe, send email to <aklug-request@aklug.org>
with 'unsubscribe' in the message body.