Multi-line paste warning doesn't detect \r, only \n #8601
Comments
ghost
added
Needs-Triage
DHowett
changed the title
DHowett
added
Area-User Interface
DHowett
removed
the
Needs-Triage
DHowett
added
Help Wanted
|
@PankajBhojwani has expressed some interest in the various multiline paste issues. 😄 |
DHowett
added
Needs-Author-Feedback
|
I've done some work previously regarding paste filter in #7508 . But it's more of a PoC of bracketed paste mode. The security issue it trys to resolve is a serious one, though. See #395 (comment). I plan to focus on brackted paste for that PR when I get the time to work on it later. So It would be nice if paste filtering is landed first. My implemention was explained here #7508 (comment), if anyone's interested |
|
I'm a security researcher who reported this issue to MSRC. <html>
<head>
<title>Windows Terminal multiple line paste warning bypass</title>
</head>
<body>
<script>
function copyListener(e){
e.clipboardData.setData("text/plain" , "echo 'evil command :P'\r");
e.preventDefault();
}
document.addEventListener("copy" , copyListener);
</script>
<div>
<code>
echo 'normal command'
</code>
</div>
</body>
</html>To reproduce this issue, open this HTML in the browser, and copy the |
|
OK so this issue seems to be more about filtering multi-line content, whereas my comment above focuses on filtering control sequences. @DHowett Feel free to ignore my comments or do whatever you may want with it. I do believe these 2 issues belong to the same category and are closed related. |
|
@DHowett - today I am full of questions.. sorry.. Can you explain
When I saw this I said.. OK..just add "find \r" in TerminalPage::_PasteFromClipboardHandler. What have I missed (I mean we already do the same search for \n")? |
|
So @Don-Vito - my concern is multifold. I'd rather avoid scanning the string three times, and I was thinking that if we're going to scan it once, we might as well do the @PankajBhojwani wanted to work on the multi-line paste warning enhancements, so it felt like a nice way for him to knock out three workitems at once. |
|
@DHowett - as a quick win we can introduce std::find_if in detection to check for both. WDYT? |
|
I dunno if we need a quick win at the moment 😄 If it weren’t for Pankaj saying he wanted to work on this, I’d say we would want a quick win. 🤷🏻 (I wouldn’t reject a PR that did that, but it would be in short order steamrolled with a second PR that did the other things, too!) |
Makes sense! Assumed quick win might be helpful because of MSRC report. I will convert my PR to a draft.. in case it is somehow relevant. 😊 |
|
Just FYI, the MSRC doesn't consider this as a security issue, so they already closed the MSRC report. |
ghost
added
Resolution-Fix-Committed
|
🎉This issue was addressed in #8634, which has now been successfully released as Handy links: |
|
🎉This issue was addressed in #8634, which has now been successfully released as Handy links: |
- Detect `\r` when warning about multi line paste - Translate `\n` to `\r` on paste ## PR Checklist * [x] Closes microsoft#8601 * [x] Closes microsoft#5821 ## Validation Steps Performed Manual testing
Certain shells will execute commands on \r as well as \n, so we should try to catch \r as well.
This should probably be tackled at the same time as paste filtering. I originally thought that we should detect newlines after filtering, or perhaps during filtering, but would result in us doing a "lot" of work in the case where the user declines the paste.
Filtering: #5821.
The text was updated successfully, but these errors were encountered: