
Don't Copy-Paste from Website to Terminal - dave1010uk
http://thejh.net/misc/website-terminal-copy-paste
======
NelsonMinar
Why would I bother copying and pasting the code to my clipboard when common
industry practice now is just to invoke the output of curl directly?

ruby -e "$(curl -fsSL <https://raw.github.com/mxcl/homebrew/go>)

~~~
charlieok
I dislike this whole trend. How about we start thinking in terms of leaving
the user's default environment, and system, alone, and “installing” software
into nice sandboxed areas where we can easily enable/disable it, or delete it
with a simple “rm -rf directory/path”

~~~
csense
I put all my sensitive files under my home directory. Every subdirectory of my
home directory is non-world-accessible, and I have a cron job which chmod's
world privileges away from new files and directories that don't match a
whitelist of directories I wish to publish (e.g. ~/public_html).

I've started giving each application its own user and group, and do the git
checkout, compile, and install as that user. (You don't need root for "make
install" if you ran configure with the --prefix option.) Then I _know_ it's
not going to be able to write anywhere but its own directories, and won't be
able to see my browsing activities or sensitive files, because UNIX
permissions won't let it. For added security, once the software is built, move
it to a location where only root can write, and chown -R root:root.

You can also use VM's for added security. With the new namespaces in 3.8 (the
kernel for Ubuntu Raring Ringtail), it should (in theory) be safe to let
untrusted software have root in a Linux container (LXC). (LXC is like chroot
but you can virtualize stuff like the network, and since the guest uses the
host's kernel memory allocator, you don't have to dedicate a block of memory
to running the guest as you would with Xen or Virtualbox.)

~~~
trotsky
It seems like you've been putting a lot of effort in, but posix uid/gid
isolation is increasingly pourous with the typical desktop environment these
days. It sounds like you are ready for real RBAC - if you put the time in
selinux (or apparmor or grsec) is leaps and bounds more effective.

~~~
sliverstorm
uid/gid is generally a sound system, the problem IMO is basically that no one
uses it for serious security, so a lot of things are not set up to be properly
careful by default.

~~~
XorNot
uid/gid on Linux also is terrible for trying to enforce inheritance. POSIX
ACLs help, but they're strikingly poorly documented/supported.

------
moonboots
Bash and Zsh provide shortcuts to open a text editor where commands can be
pasted and edited before running (Ctrl-x Ctrl-e in bash, need to enable in zsh
[2]). I've been using this on Linux not for security but because I'm still
confused by X11's primary and clipboard selections [1]. It seems like every
time I try to paste a github repo link, I get the last chunk of code I copied
and vice versa.

[1] <http://www.nongnu.org/autocutsel/>

[2] Sample .zshrc to map edit-command-line to Ctrl-x e:

    
    
      autoload edit-command-line
      zle -N edit-command-line
      bindkey '^Xe' edit-command-line
    

edit: fixed shortcut for bash

edit: forgot about my .zshrc

~~~
cmsj
Out of interest, what is confusing? If you select text it always goes into the
selection buffer. If you also press the clipboard copy shortcut (so, Ctrl-C
most of the time, sometimes Ctrl-Shift-C in a terminal) the selection is
copied into the clipboard buffer.

Ctrl-V (or, again, sometimes Ctrl-Shift-V in a terminal) pastes the clipboard
buffer. Middle mouse button (or shift-Insert) pastes the selection buffer.

Is there still room for confusion?

~~~
perlgeek
Firefox causes additional confusion by rebinding Ctrl+Insert to what Ctrl+v
usually does (copying the clipboard buffer, not the selection buffer).

Also there are some cases where javascript which selects text for you causes
very unintuitive behavior wrt selection buffer.

~~~
cmsj
Just one more reason to abandon the extraordinary towering failure that is
Firefox ;)

------
raymondh
Nicely done! Here's the underlying source:

    
    
        <p class="codeblock">
          <!-- Oh noes, you found it! -->
          git clone
          <span style="position: absolute; left: -100px; top: -100px">/dev/null; clear; echo -n "Hello ";whoami|tr -d '\n';echo -e '!\nThat was a bad idea. Don'"'"'t copy code from websites you don'"'"'t trust!<br>Here'"'"'s the first line of your /etc/passwd: ';head -n1 /etc/passwd<br>git clone </span>
          git://git.kernel.org/pub/scm/utils/kup/kup.git
        </p>

~~~
cmsj
I was expecting it to be done with Javascript, which is, afaik, how the
horrible websites that tack a URL and a "this quote came from blah"
attribution, work.

I hate all of this stuff and it is greatly saddening that browser vendors are
not protecting us from it. It's like the pop-up-on-click days of old and it
must stop.

If I select some text and copy it, I am taking a very explicit action. I am
giving the computer a very explicit instruction. There is no room for
interpretation. It must not disobey me!

~~~
eli
That's a pretty narrow view. Sometimes I want a site to capture selections or
right-click (think: WYSIWYG editor widget). Your beef is with the site owners
who put that obnoxious stuff on their site, not with the browser that displays
it. There is no limit to the number of ways a site owner can do dumb and
annoying things to their readers.

~~~
gbog
> capture selections or right-click (think: WYSIWYG editor widget)

Why, no, not the same.

I think it is ok for a webapp to be aware that I selected some text, and which
text, so a further click on "boldface" would have a context.

But it is not ok for a webapp to interfere with the text selection itself.

For instance, well-intentionned chrome always add "<http://> when I select the
url. It gets in my way very often and it is not what I intended: I did select
google.com with my mouse very carefully, I do not want Chrome to be clever and
add "<http://>. By the way, this issues comes from the excessively minimal UI:
Chrome should not hide "<http://> in the url bar, point-barre.

I do not use Evernote because it messes with my selections.

I have to use Trello at work but this bully don't even let me select a card
title.

And the list goes...

~~~
IanCal
"I have to use Trello at work but this bully don't even let me select a card
title."

It does if the card is open, are you referring to it assuming you're trying to
drag a card on the board view? I'd rather have that than sometimes it drags,
sometimes it selects the text.

~~~
gbog
I mean that when I click on a title Trello assumes I want to edit it. It's
that too hard to have a light gray edit icon for that purpose?

~~~
IanCal
I can't double/triple click but clicking and dragging works just fine for me.

------
joliss
I suspect that the only way to effectively mitigate this is in the terminal
application, by displaying a confirmation _with the pasted text_ before
accepting any multi-line[1] paste. For example here:
<https://code.google.com/p/iterm2/issues/detail?id=594>

[1] There may be other dangerous characters besides newlines, e.g. escape
sequences. I'm not sure if it's possible to make an exhaustive list for
something like Bash. Perhaps one has to guard against _any_ paste?

~~~
jakub_g
It's still possible to circumvent this by creating a one-liner using
semicolons. Just grab a code like [2] and append `; rm -rf` to the selection.
If the original selection was a one-liner, it'll still be.

[2] <http://stackoverflow.com/a/4777746/>

~~~
joliss
My idea was that if you're pasting a single line, then at least you can review
the command you pasted before hitting enter.

~~~
jakub_g
I've just realized that you meant the fact that multiline pastes are often
immediately executed, right?

I've tried various ways of input to my console (MINGW/WinXP) for multiline
pastes, and the results are as follows: 1\. Right-click multiline paste:
unsafe (executes immediately) 2\. Windows paste (alt-space, e, p): unsafe
(executes immediately) 3\. Insert or Shift-Insert: safe (pastes only the first
line)

------
networked
Perhaps the real problem here is that, as noted by Ted Nelson back when the
concept started to gain popularity, "[the computer clipboard is] just like a
regular clipboard, except (a) you can't see it, (b) it holds only one object,
(c) whatever you put there destroys the previous contents." The presented
vulnerability hinges on (a), and, Glipper [1] notwithstanding, (a)-(c) is
still the default behavior in every GUI I use.

[1] <https://launchpad.net/glipper>

~~~
SoftwareMaven
Because of b and c, I would go _nuts_ trying to use a text editor that didn't
support an emacs-like "clipboard"[1] ring. I'm constantly dumping stuff in and
pulling it out in arbitrary order. It is nice to have a solution to a in the
process, too.

1\. Yes, I know it is a kill ring in emacs.

------
comex
Well... yeah, but even without hidden text, what are you going to do after you
clone the repository? Probably `make` or `ruby something.rb` or any number of
other commands that can run arbitrary code. If you don't trust someone, you
shouldn't be trying to clone their git repo in the first place.

~~~
gizmo686
But the code I am copying is "git clone
git://git.kernel.org/pub/scm/utils/kup/kup.git"

I know what "git clone" does, and I do trust code from git.kernel.org.

~~~
gyepi
Actually, you're copying more than a git clone command. That's the point of
the posting. Look at the source or paste into a text editor to see it.

~~~
38leinad
i think gizmo686 is aware of that. what he says is that he trusted the source
where he c&p's from. if you don't trurst the source you should not blindly
copy any command. Even one flag/parameter that you might not know can do harm.
There do not have to be hidden characters to make it harmful and dangerous.

------
miles
Lynx user not affected: <http://tinyapps.org/lynx_not_affected.png>

~~~
Thrall
I noticed this too. Sometimes the simple solutions are the best (compare with
the long thread of suggested solutions further down this page).

It's like a master-criminal's subtle and sophisticated plan being foiled by a
simpleton because it assumed that the victims would be able to read.

------
hollerith
One of many examples by which making the web a better "application-delivery"
platform makes it less secure, less reliable, less predictable and more
tedious in its original role of sharing text, images and links.

~~~
ams6110
And another good reason to not work in root shells routinely. As damaging as
something like this might still be, it will be confined to just one account if
you are not running as root.

~~~
h2s
Sadly this is not complete protection. Many Linux distributions configure sudo
to prompt for the password only once every 15 minutes or so. If you have
successfully executed sudo in your terminal within the last 15 minutes, any
malicious code that you run can silently escalate its privileges to root just
by starting with "sudo -i;".

You need to have the following in /etc/sudoers in order to be truly protected
by not being logged-in as root:

    
    
        Defaults timestamp_timeout=0

------
SG-
I'm confused why this is even allowed by the browsers, you shouldn't be able
to send something else to the clipboard. Are there any browser extensions that
can 'fix' this issue?

~~~
jiggy2011
Problem is , as far as the browser knows you meant to copy the whole thing.

If you look at the source the actual text of that paragraph is what gets
copied, they just use some sneaky CSS to make it not visible. It's not
explicitly marked as hidden.

~~~
crazygringo
Yeah -- I mean, it would be easy enough for browsers to not include text
marked as display:none or visibility:hidden.

But there are so many other tricks to hiding text -- margin-left:-10000px,
font-size:0, color:white, and so on, that there's really no way to avoid this.

So I can't even imagine how a browser extention would 'fix' this -- no matter
how clever it tried to be, there would almost always be some way around it.

~~~
gmaslov
OCR would work ;-)

~~~
LukeShu
So, I know that was a joke, but now I'm trying to figure out why it's a bad
idea.

The browser can generate some kind of map for which region of the screen is
what font. If you don't have to guess the font, OCR should be easy and
reliable. That takes care of the hidden text issue. But second, it means one
would be able to copy/paste text that is in an image (because some web
designers hate you).

~~~
jiggy2011
But you don't select text by selecting an area technically, you select a
sequence of characters.

You could do a per character visibility test at the time of copying, but
sometimes you want to copy test that is not currently visible on your screen.

For example doing Ctrl+A in a document.

------
dave1010uk
Note: if you don't trust this, paste into a text editor!

It works with this CSS:

    
    
        position: absolute; left: -100px; top: -100px

~~~
nwh
I wonder if you could do the same with Unicode control characters. There's
probably something in the depths of the library that would have a similar
outcome.

------
LogicX
Pasted result is:

    
    
      git clone
    
      /dev/null; clear; echo -n "Hello ";whoami|tr -d '\n';echo -e '!\nThat was a bad idea. Don'"'"'t copy code from websites you don'"'"'t trust!
    
      Here'"'"'s the first line of your /etc/passwd: ';head -n1 /etc/passwd
    
      git clone git://git.kernel.org/pub/scm/utils/kup/kup.git

~~~
TheJH_
You might want to mark the newlines in that command... without those, the
attack would be pretty boring.

~~~
LogicX
fixed.

------
cirwin
Good terminal emulators (xterm, urxvt, iTerm2, etc.) have support for
"bracketed paste mode" which can be used to fix this problem in zsh:
<https://github.com/robbyrussell/oh-my-zsh/pull/1698> (original code:
<http://www.zsh.org/mla/users/2011/msg00367.html>)

It's probably easy to write a similar fix for bash.

~~~
TheJH_
I initially thought it'd work, but actually, this protection can be
circumvented. See the updated version of <http://thejh.net/misc/website-
terminal-copy-paste>.

------
andrelaszlo
I usually put a # before anything I paste into a terminal. Mostly because I
sometimes get a newline at the end, but it will disarm this behavior too. I'm
not sure if it works in all situations though. Edit: Won't work! Use a heredoc
(<<paste) or the editor method suggested above instead.

~~~
bluetooth
It won't work in this situation. Multiple commands here are separated by
newlines (like pressing enter on your keyboard) and putting # will only
comment out the first one.

~~~
andrelaszlo
Yep, you're right. This one had a " char on the second line that made me
confused. A heredoc will still work though, I should start doing that instead
:)

------
Tyr42
Actually, since I tried to copy it by triple clicking, which selects one line
(at least, I expect it to. It's what sublime text does). That didn't copy any
of the malicious text, and it just stopped between the clone and the url.

~~~
TheJH_
I feared someone would do that. :D Well, it'd be easy to work around this if
you have JS enabled... without it, it would probably not be so easy to trick
you into copying multiple lines.

~~~
lmm
Even normal selection "stuck" funnily; I could tell there was something
between the clone and the rest of it. Again, possible to mitigate I'm sure.

------
Qantourisc
IMO this is the browsers fault. One expects to copy the selected (visible)
text. But kinda hard to fix ...

~~~
pekk
Doesn't the browser have a model of which text is visible? It has to. So why
not copy out of that model?

~~~
elliottcarlson
What constitues as visible though? There is the obvious non-visible CSS
modifiers like display: hidden; - but at what point does an off screen
rendered text actually count as hidden? If you were wanting to copy the entire
contents of a page, and the browser assumed anything off screen was invisible
then you would not be able to copy everything at once when it goes below the
fold. Different screen resolutions and devices would cause other issues there
as well.

~~~
LnxPrgr3
The text isn't just not visible right now. It can't become visible. It lives
above and to the left of the start of the page. Surely the browser's aware of
that.

------
mobweb
Wow, crazy, never really thought about this as an attack vector but it seems
pretty obvious. I must confess that as a person who solves many problems by
Googling I have directly pasted terminal commands from unknown websites
countless times...

------
dechols
So the answer is to paste it into an editor first?

~~~
hluska
Or alternately, the solution is to paste it into your terminal, then take the
time to read over what you pasted and make sure you understand what is going
to happen before you hit enter. This is doubly important if the first word is
'sudo'!!

Not only is this a good habit as far as security goes, it's also the best way
I can think of to learn from problems.

~~~
eropple
This isn't a solution--this is exactly the dangerous behavior that this
webpage is trying to convince you not to do.

Because they can put a newline in the malicious paste.

------
bluetooth
This is really just an extension of clickjacking - modifying the UI to trick
the user into performing an undesired action. This is a pretty novel idea, and
considering how many websites make use of this to slap their permalinks into
copied text (albeit with flash, usually), I'm surprised this hasn't been
thought of before.

It would be an interesting experiment to sneak a harmless command after every
snippet on a site like commandlinefu.com.

Edit: Also while playing around, I remembered irssi actually has a defense
against this. If you try pasting multiple lines, it can detect this. It
presents you with a prompt asking if you really intended to paste >5 lines
into the text field. I wonder if something like this could be implemented in a
shell?

~~~
icebraining
Even if the shell had such protection, they could just do 'evil command &&
visible command'.

~~~
TheJH_
If the shell had a protection against text pasted together with an ending
newline (and would just strip that newline), it would help, I think.

------
mistofvongola
This is another reason I always type a '#' before copy/pasting any long
commands. The main reason is that I sometimes want to edit a long copied
command and sometimes a newline get caught in my 'copy'. The '#' prevents it
from accidentally executing.

~~~
Aga
As explained above, this will help only against the first line of the attack
(until the first newline character). The subsequent lines will be executed.

A better solution would be to paste the text in to an editor.

------
jeromeparadis
That's why I always paste to my text editor and copy from there before pasting
anything from a Web page.

------
jayferd
I mean, untarring a downloaded tarball from somewhere and running `make` is
just as dangerous, right? Only there you can make sure the checksum matches,
but people skip that step all the time.

~~~
runn1ng
You should basically compile everything yourself and read all the source code
yourself if you want to be secure.

Good luck with that though. (Escpecially with things like, I don't know,
browsers.)

~~~
jayferd
My point exactly. No one is ever actually going to read all the code, so you
have to start your trust somewhere. Especially if you're going to type `sudo
make install` at the end (which is why I advocate things like ~/.local to
prevent the need for that, but I digress).

------
ck2
Can browsers fix this behavior?

It seems like a security hole for many reasons.

The default should be to copy plain text as highlighted, and advanced right
click for html based copying.

------
vishnumenon
I was just thinking it might be cool to have a service that site owners could
include via JS that would ensure that the content in a div is the content seen
by the user. It could have a little stamp that says "Verified by SuchAndSuch"
in the corner of the div. Should I try to make this? Any obvious issues? Is it
worth it?

------
vxNsr
This doesn't seem like such a big deal

You have one of two ways to combat this: 1) always copy things to notepad
first so whatever it is that you copied you can verify is what you meant to
copy

2) Use the inspection tool of your browser to copy it from source where things
can't really be hidden.

I usually do #1 anyway because of weird formatting and characters

------
munimkazia
Did it stop working for anyone the second time? I tried it once, and it worked
(gave me the warning and first line of my /etc/passwd file). I wanted to show
it to a coworker but it mysteriously stopped working. It is just copying the
displayed text now. Kinda weird..

Using Google Chrome 26.0.1410.43 on ubuntu 12.10 64bit.

------
seldo
Or possibly "don't follow instructions from people you don't trust",
regardless of what they tell you to do.

------
cmsj
Out of interest, does anyone know of a Mac utility which will intercept the
default paste shortcut and pop up a confirmation of what is going to be
pasted, with a really quick interface to the previous few items that were
copied to the clipboard?

~~~
tres
Jumpcut is fairly close to what you're asking for. I guess you could map
command + v to Jumpcut & override default paste functionality. Personally I
prefer to use option + v.

<http://jumpcut.sourceforge.net>.

------
Thrall
There is a subtle hint that all is not well if you try to select the code
using triple-click: it will only select one half at a time, suggesting it is
not the one-liner it appears to be...

~~~
tete
Problem is that this is frequently the case, because of stuff like syntax
highlighting.

------
kyllo
Yes, but not just that. It's also important to make an effort to understand
what commands you are typing into your shell before typing them (Google them
first if you don't know).

------
fidz
In bitbucket, you could simply copy paste _clone command in the text field_.
Isn't text field is far more safe since there should no hidden element?

------
Achshar
Select the text and right click to copy. The trick is over when the "search
google for 'malicious text' comes up instead of the command in chrome.

~~~
TheJH_
Right... for a real attack, you'd have to hide the evil commands near the end
of the normal-looking one (the string you see there is truncated). I thought
about doing that, but it'd give you a few seconds to react in this example
because you'd have the git command run first. Hmm, maybe it'd be doable using
backticks or so? Those could be put at the end and would evaluate first
anyway...

------
gyepi
FWIW, I use shell mode in emacs most of the time and it happily accepts, and
buffers, multiline commands until you hit enter, unlike the terminal.

------
anarchotroll
Copying with pentadactyl using Y shows exactly what has been copied on the
status line at the bottom of the screen.

------
melicerte
what I usually do before pasting insecure clipboard content to a terminal is
that I start with a double quotes character " Once I see the real output, I
just have to remove the quotes (<ctrl-a> <del><return>)

------
pnathan
Well done, sir.

Thanks for bringing this up.

------
Justsignedup
ok, honestly, where is the ability to disable clipboard manipulation or
similar techniques? Browsers need to do this. I have NEVER seen value if a
website's ability to modify my clipboard.

~~~
ricket
That's a different issue from the one here, actually. View the source. No JS
in the page at all; just an invisible span in the middle of the code to be
copy-pasted.

------
keekdown
Hmmm...I just hasn’t been thinking about such things

------
jpswade
Unless it's from a trusted source...

------
chickopozo
How is this news? Its been done so many times I've lost count.

------
umarrana
shit you almost killed me

