Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

So the answer is to paste it into an editor first?


This is what I do with anything I'm copying or pasting from anything into anything else, mostly because of the obnoxious and ubiquitous "let's copy and paste formatting as well as text" that presumably came from some insane desire for ubiquitous rich text.


Or alternately, the solution is to paste it into your terminal, then take the time to read over what you pasted and make sure you understand what is going to happen before you hit enter. This is doubly important if the first word is 'sudo'!!

Not only is this a good habit as far as security goes, it's also the best way I can think of to learn from problems.


This isn't a solution--this is exactly the dangerous behavior that this webpage is trying to convince you not to do.

Because they can put a newline in the malicious paste.


If the text contains a newline the command[1] will be executed immediately so that won't protect you.

[1]: At least, in the terminals I regularly use.


There was a newline hidden in the one pasted here, so that's not an option. It would have run something no matter what.


Yeah, I always have gedit or kate running so I can paste there first and verify it.


or "cat > /dev/null" and paste into the terminal to review.


wonder if there's something that would be copyable from the browser to the clipboard/pastebuffer/what-have-you (and pasteable to your terminal emulator) that would constitute a ^C?


Oh, wow - you're right! It does work, and trivially so. That is, I created chr(3), opened it in a text editor, and copy/pasted. Poof! No longer in the cat.

I then put sample command line in HTML, with an embedded  . Yep, copied and pasted just fine.

Which means my SOP for dealing with untrusted text isn't anywhere near as good as I thought it would be.

Thanks for pointing that out!




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: