Why would I bother copying and pasting the code to my clipboard when common industry practice now is just to invoke the output of curl directly?

ruby -e "$(curl -fsSL https://raw.github.com/mxcl/homebrew/go)

Bash and Zsh provide shortcuts to open a text editor where commands can be pasted and edited before running (Ctrl-x Ctrl-e in bash, need to enable in zsh [2]). I've been using this on Linux not for security but because I'm still confused by X11's primary and clipboard selections [1]. It seems like every time I try to paste a github repo link, I get the last chunk of code I copied and vice versa.

[1] http://www.nongnu.org/autocutsel/

[2] Sample .zshrc to map edit-command-line to Ctrl-x e:

  autoload edit-command-line
  zle -N edit-command-line
  bindkey '^Xe' edit-command-line

edit: forgot about my .zshrc

Nicely done! Here's the underlying source:

    <p class="codeblock">
      <!-- Oh noes, you found it! -->
      git clone
      <span style="position: absolute; left: -100px; top: -100px">/dev/null; clear; echo -n "Hello ";whoami|tr -d '\n';echo -e '!\nThat was a bad idea. Don'"'"'t copy code from websites you don'"'"'t trust!<br>Here'"'"'s the first line of your /etc/passwd: ';head -n1 /etc/passwd<br>git clone </span>
      git://git.kernel.org/pub/scm/utils/kup/kup.git
    </p>

I suspect that the only way to effectively mitigate this is in the terminal application, by displaying a confirmation with the pasted text before accepting any multi-line[1] paste. For example here: https://code.google.com/p/iterm2/issues/detail?id=594

[1] There may be other dangerous characters besides newlines, e.g. escape sequences. I'm not sure if it's possible to make an exhaustive list for something like Bash. Perhaps one has to guard against any paste?

Perhaps the real problem here is that, as noted by Ted Nelson back when the concept started to gain popularity, "[the computer clipboard is] just like a regular clipboard, except (a) you can't see it, (b) it holds only one object, (c) whatever you put there destroys the previous contents." The presented vulnerability hinges on (a), and, Glipper [1] notwithstanding, (a)-(c) is still the default behavior in every GUI I use.

[1] https://launchpad.net/glipper

Well... yeah, but even without hidden text, what are you going to do after you clone the repository? Probably `make` or `ruby something.rb` or any number of other commands that can run arbitrary code. If you don't trust someone, you shouldn't be trying to clone their git repo in the first place.

Lynx user not affected: http://tinyapps.org/lynx_not_affected.png

One of many examples by which making the web a better "application-delivery" platform makes it less secure, less reliable, less predictable and more tedious in its original role of sharing text, images and links.

I'm confused why this is even allowed by the browsers, you shouldn't be able to send something else to the clipboard. Are there any browser extensions that can 'fix' this issue?

Note: if you don't trust this, paste into a text editor!

It works with this CSS:

    position: absolute; left: -100px; top: -100px

Pasted result is:

  git clone

  /dev/null; clear; echo -n "Hello ";whoami|tr -d '\n';echo -e '!\nThat was a bad idea. Don'"'"'t copy code from websites you don'"'"'t trust!

  Here'"'"'s the first line of your /etc/passwd: ';head -n1 /etc/passwd

  git clone git://git.kernel.org/pub/scm/utils/kup/kup.git

Good terminal emulators (xterm, urxvt, iTerm2, etc.) have support for "bracketed paste mode" which can be used to fix this problem in zsh: https://github.com/robbyrussell/oh-my-zsh/pull/1698 (original code: http://www.zsh.org/mla/users/2011/msg00367.html)

It's probably easy to write a similar fix for bash.

I usually put a # before anything I paste into a terminal. Mostly because I sometimes get a newline at the end, but it will disarm this behavior too. I'm not sure if it works in all situations though. Edit: Won't work! Use a heredoc (<<paste) or the editor method suggested above instead.

Actually, since I tried to copy it by triple clicking, which selects one line (at least, I expect it to. It's what sublime text does). That didn't copy any of the malicious text, and it just stopped between the clone and the url.

IMO this is the browsers fault. One expects to copy the selected (visible) text. But kinda hard to fix ...

Wow, crazy, never really thought about this as an attack vector but it seems pretty obvious. I must confess that as a person who solves many problems by Googling I have directly pasted terminal commands from unknown websites countless times...

So the answer is to paste it into an editor first?

This is really just an extension of clickjacking - modifying the UI to trick the user into performing an undesired action. This is a pretty novel idea, and considering how many websites make use of this to slap their permalinks into copied text (albeit with flash, usually), I'm surprised this hasn't been thought of before.

It would be an interesting experiment to sneak a harmless command after every snippet on a site like commandlinefu.com.

Edit: Also while playing around, I remembered irssi actually has a defense against this. If you try pasting multiple lines, it can detect this. It presents you with a prompt asking if you really intended to paste >5 lines into the text field. I wonder if something like this could be implemented in a shell?

This is another reason I always type a '#' before copy/pasting any long commands. The main reason is that I sometimes want to edit a long copied command and sometimes a newline get caught in my 'copy'. The '#' prevents it from accidentally executing.

That's why I always paste to my text editor and copy from there before pasting anything from a Web page.

I mean, untarring a downloaded tarball from somewhere and running `make` is just as dangerous, right? Only there you can make sure the checksum matches, but people skip that step all the time.

Can browsers fix this behavior?

It seems like a security hole for many reasons.

The default should be to copy plain text as highlighted, and advanced right click for html based copying.

I was just thinking it might be cool to have a service that site owners could include via JS that would ensure that the content in a div is the content seen by the user. It could have a little stamp that says "Verified by SuchAndSuch" in the corner of the div. Should I try to make this? Any obvious issues? Is it worth it?

This doesn't seem like such a big deal

You have one of two ways to combat this: 1) always copy things to notepad first so whatever it is that you copied you can verify is what you meant to copy

2) Use the inspection tool of your browser to copy it from source where things can't really be hidden.

I usually do #1 anyway because of weird formatting and characters

Did it stop working for anyone the second time? I tried it once, and it worked (gave me the warning and first line of my /etc/passwd file). I wanted to show it to a coworker but it mysteriously stopped working. It is just copying the displayed text now. Kinda weird..

Using Google Chrome 26.0.1410.43 on ubuntu 12.10 64bit.

Or possibly "don't follow instructions from people you don't trust", regardless of what they tell you to do.

Out of interest, does anyone know of a Mac utility which will intercept the default paste shortcut and pop up a confirmation of what is going to be pasted, with a really quick interface to the previous few items that were copied to the clipboard?

There is a subtle hint that all is not well if you try to select the code using triple-click: it will only select one half at a time, suggesting it is not the one-liner it appears to be...

Yes, but not just that. It's also important to make an effort to understand what commands you are typing into your shell before typing them (Google them first if you don't know).

In bitbucket, you could simply copy paste clone command in the text field. Isn't text field is far more safe since there should no hidden element?

Select the text and right click to copy. The trick is over when the "search google for 'malicious text' comes up instead of the command in chrome.

FWIW, I use shell mode in emacs most of the time and it happily accepts, and buffers, multiline commands until you hit enter, unlike the terminal.

undefined

Copying with pentadactyl using Y shows exactly what has been copied on the status line at the bottom of the screen.

undefined

what I usually do before pasting insecure clipboard content to a terminal is that I start with a double quotes character " Once I see the real output, I just have to remove the quotes (<ctrl-a> <del><return>)

Well done, sir.

Thanks for bringing this up.

ok, honestly, where is the ability to disable clipboard manipulation or similar techniques? Browsers need to do this. I have NEVER seen value if a website's ability to modify my clipboard.

Hmmm...I just hasn’t been thinking about such things

Unless it's from a trusted source...

How is this news? Its been done so many times I've lost count.

undefined

I always paste my things inside Chrome's Omnibar. It trims surrounding spaces and associated style.

I agree with don't copy paste. because i hate with copy paste

That's really cool. :)

shit you almost killed me