11 comments

[ 3.5 ms ] story [ 41.0 ms ] thread
(comment deleted)
I honestly expected some sort of weird zero-width char exploit. This is much simpler
You don't even need JS.

    <pre>echo 'normal code, nothing to see here :)'<span style="color:transparent;font-size:0">; echo 'evil stuff'</span>
    echo 'nothing suspicious at all :)'</pre>
Do people not read what they pasted before hitting 'enter'?

Like do they just smash ctrl+v//enter super fast? Why would anyone do that

Yes indeed they do not read it at all. Even if you tell them right before the to be copied text to replace the obvious placeholders with the real value needed. And then they complain on slack that 'this thing in the docs doesn't work. Help!'.

Always have them show you exactly what they did. No descriptions of what they did, let them show you. Yes, do ask the obvious 'did you replace the placeholders?' question.

Very common answer: 'What placeholders?'

From the article, emphasis mine:

> Not only do you get a completely different command present on your clipboard, but to make matters worse, it has a newline (or return) character at the end of it.

> This means the above example would execute as soon as it's pasted directly into a Linux terminal.

I usually paste into notepad++ first to make sure formatting is right. Guess this is a good habit for everyone to get into.
Last time I remember this issue was brought up:

https://news.ycombinator.com/item?id=24797720

You can mostly avoid this problem with a little configuration if bracketed-paste-mode isn't default on whatever you're using.

Make sure it's supported and/or active on your terminal (e.g. urxvt, xterm) and the CLI/TUI programs (e.g. vim, bash/libreadline) on which you want to paste.

At the link above is a link to an SE answer I wrote years ago:

https://security.stackexchange.com/questions/39118/how-can-i...

It has a table showing what terminals support bracketed paste mode, and also provides a urxvt plugin to fix a bug in urxvt's implementation.

Jus another reminder that the modern browser is an awful platform with basically no unique purpose but user exploitation - which is why it happens to be ubiquitous.