Bug#787628: Bracketed paste is unsafe

2015-11-18 Thread Marc Lehmann 
I'll take this off debians bugtracker now, it really makes no sense to
discuss this there (it's not a discussion forum), the bug should be
reassigned to firefox and/or other programs that suffer from this security
issue, as it can't be fixed in a terminal emulator. Or closed.

If you want to discuss development of urxvt with me, please do so on the
urxvt list (rxvt-unic...@lists.schmorp.de>), or with me privately.

On Tue, Nov 17, 2015 at 02:37:54PM +0100, Yuri D'Elia  wrote:
> On 17/11/15 00:32, Marc Lehmann wrote:
> >> Ideally, I would like the data to come through *as-is*, 8bit clean.
> > 
> > I understand what you wish for, but I think you are trying to use the
> > wrong tool here. For starters, can you define what "as-is" means when the
> > data is binary and the terminal is in utf-8? Or a non-utf-8 filename?
> 
> Encoding sits on top of the construct if we can make the paste
> transparent, it won't change the current status quo.

If that were true, nobody would ever have an encoding problem - the problem
is, it isn't true. Grafting encoding on top of a system that doesn't support
it will just result in more mojibake, not correct behaviour. I don't see a
point in supporting something that is broken to begin with.

The problem of bracketed paste is that people are asking for things
that are badly specified, badly implemented, badly thought out and with
ill-defined goals.

> If we agree that the current scheme is insufficient for any purpose,
> let's break it for the better. There's basically no-one using bracketed
> paste currently.

That could mean there is little or no demand for it. It's also not clear
what the purpose of it is - everybody, including you, cites security
concerns of some form as reason, i.e., they don't have a real use case.

> > zsh doesn't have access to the pty master, and is unlikely to be able to
> > react fast enough.
> 
> A proper solution might actually to devise on how the pasted content
> should be encoded by the bracketed paste in a way that 1) allows
> embedded control sequences of any kind 2) they are escaped for the
> terminal discipline to pass-though.

I can't see how that would be a proper solution (see above).

> In that sense, we could just encode the block in a 7bit-safe encoding
> such as base64 or something more efficient.

escaping or using hex would be a lot more conservative, just saying.

> > The problem with this is that a large share of pastes would not benefit
> > from paste mode. It's basically only _some_ multiline pastes that would
> > benefit from it, while most would either not benefit or suffer negative
> > effects from it.
> 
> Not really. Bracketed paste allows to make the distinction between a
> human typing and a paste, and that really makes a great difference.

Such as? You make a lot of very remarkable claims, but so far have shown
very little to back them - which is something in common with the faction that
wants to "fix" bracketed paste.

> >> Firefox has nothing to do with it here, but it shows one of the most
> >> important aspects of a reliable bracketed paste: if bracketed paste is
> >> implemented correctly in the terminal, proper behavior *can* be
> >> implemented at the application level, as zsh now shows.
> > 
> > Didn't you just write that zsh doesn't? And why would that be proper
> > behaviour? The number of times where I paste actual commands into my
> > shell completely dwarfs the few times where I paste hidden commands from
> > insecure apps such as firefox - or in other words, the only way to switch
> > zsh into proper mode would be to disable an option that would put it into
> > "proper mode".
> 
> zsh now enables bracketed paste by default.

So you redact your claim? I am not sure what you mean with this statement,
it doesn't seem to be a reply to the quoted text.

> It actually sends \e[?2004l to all terminals, as the ones we tried that
> didn't support bracketed paste simply swallowed the escape.

Basing such behaviour on a few terminal (emulators?) you tried is hardly
a good implementation. It's really just a bad hack - what's next,
zsh-certified terminals, and everybody else has lost?

(Hint, this only works on ansi/vt-type terminals).

> A bracketed paste is also never executed by default. A newline is
> inserted literally (as ^J would), so that any command can be previewed.
> The paste is also quoted and the quoting style can be customized with a
> prefix argument, so that you can paste into a quote with quotes being
> escaped correctly, and invisible characters can always be seen.
> 
> It's a major improvement in behavior for pasting in any sense.

It would be a major step back for me, so your statement is wrong. Again, it
is ea to make sweeping statements such as these, but more is needed to
convince me, especially when the claims turn out to be wrong.

> > I very much disagree that keeping the user from pasting text that she or
> > he wants to paste is proper - it's just more bossing around because actual
> > bugs (l

Bug#787628: Bracketed paste is unsafe

2015-11-17 Thread Yuri D'Elia 
On 17/11/15 00:32, Marc Lehmann wrote:
>> Ideally, I would like the data to come through *as-is*, 8bit clean.
> 
> I understand what you wish for, but I think you are trying to use the
> wrong tool here. For starters, can you define what "as-is" means when the
> data is binary and the terminal is in utf-8? Or a non-utf-8 filename?

Encoding sits on top of the construct if we can make the paste
transparent, it won't change the current status quo.

>> Without filtering the termination sequence at all, there's *no* way to
>> implement reliably *any* bracketed sequence. It *is* the job of the
>> terminal program to filter the sequence, and only that sequence, from
>> the paste. This is not sanitization of the input, it's just protocol.
> 
> And with filtering it is also not possible to implement this "reliably".

Very true, but I'm absolutely open to discuss on how to fix that.

If we agree that the current scheme is insufficient for any purpose,
let's break it for the better. There's basically no-one using bracketed
paste currently.

To answer with the following:

>> I'd rather try to manually change and restore the terminal mode through
>> the pty master in order for the bracketed paste to be fully transparent
>> for all programs, but I didn't get to it yet.
>
> zsh doesn't have access to the pty master, and is unlikely to be able to
> react fast enough.

No, the attached program will never be able to do that reliably. The
terminal needs to do that, if possible, but even that would break down
in the context of a remote pty.

A proper solution might actually to devise on how the pasted content
should be encoded by the bracketed paste in a way that 1) allows
embedded control sequences of any kind 2) they are escaped for the
terminal discipline to pass-though.

In that sense, we could just encode the block in a 7bit-safe encoding
such as base64 or something more efficient.

> The problem with this is that a large share of pastes would not benefit
> from paste mode. It's basically only _some_ multiline pastes that would
> benefit from it, while most would either not benefit or suffer negative
> effects from it.

Not really. Bracketed paste allows to make the distinction between a
human typing and a paste, and that really makes a great difference.

>> Firefox has nothing to do with it here, but it shows one of the most
>> important aspects of a reliable bracketed paste: if bracketed paste is
>> implemented correctly in the terminal, proper behavior *can* be
>> implemented at the application level, as zsh now shows.
> 
> Didn't you just write that zsh doesn't? And why would that be proper
> behaviour? The number of times where I paste actual commands into my
> shell completely dwarfs the few times where I paste hidden commands from
> insecure apps such as firefox - or in other words, the only way to switch
> zsh into proper mode would be to disable an option that would put it into
> "proper mode".

zsh now enables bracketed paste by default. It actually sends \e[?2004l
to all terminals, as the ones we tried that didn't support bracketed
paste simply swallowed the escape.

A bracketed paste is also never executed by default. A newline is
inserted literally (as ^J would), so that any command can be previewed.
The paste is also quoted and the quoting style can be customized with a
prefix argument, so that you can paste into a quote with quotes being
escaped correctly, and invisible characters can always be seen.

It's a major improvement in behavior for pasting in any sense.

> This is going the same path as firefox - instead of plugging javascript
> security holes, we get kludges (such as disabling file urls because
> firefox can't guarantee their safety, or randomly renaming your profile
> directory instead of keeping javascript from snooping around in your
> filesystem).
> 
> I very much disagree that keeping the user from pasting text that she or
> he wants to paste is proper - it's just more bossing around because actual
> bugs (like the one in firefox) don't get fixed.

I doubt firefox will ever be able to fix this issue in a way that makes
"copying" safe.

Frankly, I do not care, as unicode issues will always be present.
Let's fix bracketed paste.

Bug#787628: Bracketed paste is unsafe

2015-11-16 Thread Marc Lehmann 
On Mon, Nov 16, 2015 at 04:46:07PM +0100, Yuri D'Elia  wrote:
> The way I see it, bracketed paste allows the program attached to the tty
> to receive clean input from the paste without the terminal interfering.
> 
> Ideally, I would like the data to come through *as-is*, 8bit clean.

I understand what you wish for, but I think you are trying to use the
wrong tool here. For starters, can you define what "as-is" means when the
data is binary and the terminal is in utf-8? Or a non-utf-8 filename?

> Without filtering the termination sequence at all, there's *no* way to
> implement reliably *any* bracketed sequence. It *is* the job of the
> terminal program to filter the sequence, and only that sequence, from
> the paste. This is not sanitization of the input, it's just protocol.

And with filtering it is also not possible to implement this "reliably".

> Bracketed paste might actually be used by editors, such as vim, to
> insert text as-is without having to enter "paste" mode first.

The problem with this is that a large share of pastes would not benefit
from paste mode. It's basically only _some_ multiline pastes that would
benefit from it, while most would either not benefit or suffer negative
effects from it.

> We've been discussing the issue of break processing in the zsh ml, and
> 
> I'd rather try to manually change and restore the terminal mode through
> the pty master in order for the bracketed paste to be fully transparent
> for all programs, but I didn't get to it yet.

zsh doesn't have access to the pty master, and is unlikely to be able to
react fast enough.

> I don't want to go through the route of xterm, which instead filters the
> input "pretending" to know what is safe and what isn't, which like you
> say, is just guessing.

The problem isn't that it is guessing, the problem is that is always wrong
- if a program sends different text when asked for a selection then what
the user has selected, this is a bug, which can be security-relevant. No
amount of kludging or guessing or following protocol can fix this in a
terminal emulator, unless the temrinal emulator suffers from the same
problem.

> Firefox has nothing to do with it here, but it shows one of the most
> important aspects of a reliable bracketed paste: if bracketed paste is
> implemented correctly in the terminal, proper behavior *can* be
> implemented at the application level, as zsh now shows.

Didn't you just write that zsh doesn't? And why would that be proper
behaviour? The number of times where I paste actual commands into my
shell completely dwarfs the few times where I paste hidden commands from
insecure apps such as firefox - or in other words, the only way to switch
zsh into proper mode would be to disable an option that would put it into
"proper mode".

This is going the same path as firefox - instead of plugging javascript
security holes, we get kludges (such as disabling file urls because
firefox can't guarantee their safety, or randomly renaming your profile
directory instead of keeping javascript from snooping around in your
filesystem).

I very much disagree that keeping the user from pasting text that she or
he wants to paste is proper - it's just more bossing around because actual
bugs (like the one in firefox) don't get fixed.

-- 
The choice of a   Deliantra, the free code+content MORPG
  -==- _GNU_  http://www.deliantra.net
  ==-- _   generation
  ---==---(_)__  __   __  Marc Lehmann
  --==---/ / _ \/ // /\ \/ /  schm...@schmorp.de
  -=/_/_//_/\_,_/ /_/\_\

Bug#787628: Bracketed paste is unsafe

2015-11-16 Thread Yuri D'Elia 
Sorry for the late reply, but as I wasn't included in the reply, I
didn't get any notification. I just stumbled upon it today by chance...

> First of all, the safety is not the same as security, and the bracketed
> paste mode is not a means for security (for a variety of subreasons, the
> main being that pasting a _shell_ command that contains data that the user
> doesn't know is insecure with or without bracketed paste mode filtering
> out certain sequences).

The way I see it, bracketed paste allows the program attached to the tty
to receive clean input from the paste without the terminal interfering.

Ideally, I would like the data to come through *as-is*, 8bit clean.

Unfortunately, bracketed paste is flawed, as it relies on a termination
sequence and doesn't allow escapes. This means that even if I wanted to,
I cannot pass input that includes the termination sequence.

Without filtering the termination sequence at all, there's *no* way to
implement reliably *any* bracketed sequence. It *is* the job of the
terminal program to filter the sequence, and only that sequence, from
the paste. This is not sanitization of the input, it's just protocol.

> Third, even if bracketed paste mode would single out this sequence, it's
> not a security feature, as the user has no feedback on whether this mode
> is enabled, so cannot base her decision to paste on this mode. Advertising
> bracketed paste mode as a security feature would trick users into unsafe
> behaviour.

This patch was produced as a result of some work in zsh, which now uses
bracketed paste to automatically quote (and not execute by default!)
pastes. This is now the default behavior in zsh since 5.1.

Bracketed paste might actually be used by editors, such as vim, to
insert text as-is without having to enter "paste" mode first.

However, bracketed paste needs to be reliable.

> Lastly, guessing what is "safe" and what is "unsafe" in the terminal
> emulator is the wrong place, as it can't know what the application
> interprets. For example, the application might abort paste mode on other
> sequences as well (such as ctrl-c). It's also very difficult to implement,
> even if there was a list of what is to be filtered out, as the patch
> shows, which doesn't manage to filter out sequences at internal borders, so
> not giving the false impression that pasting is safe no matter what it
> contains.

We've been discussing the issue of break processing in the zsh ml, and
indeed the patch is still "incomplete" in the sense that Ctrl+C is still
processed by the terminal discipline, and that's definitely something
that should be avoided.

I'd rather try to manually change and restore the terminal mode through
the pty master in order for the bracketed paste to be fully transparent
for all programs, but I didn't get to it yet.

I don't want to go through the route of xterm, which instead filters the
input "pretending" to know what is safe and what isn't, which like you
say, is just guessing.

> Therefore, I would suggest reassigning this to firefox or other
> applications in Debian GNU/Linux that let you select one text visually,
> but then offer a different text as the selection to other apps, as that is
> indeed a security problem.

Firefox has nothing to do with it here, but it shows one of the most
important aspects of a reliable bracketed paste: if bracketed paste is
implemented correctly in the terminal, proper behavior *can* be
implemented at the application level, as zsh now shows.

Bug#787628: Bracketed paste is unsafe

2015-06-17 Thread Marc Lehmann 
Hi!

This bugreport is unsound for a variety of reasons.

First of all, the safety is not the same as security, and the bracketed
paste mode is not a means for security (for a variety of subreasons, the
main being that pasting a _shell_ command that contains data that the user
doesn't know is insecure with or without bracketed paste mode filtering
out certain sequences).

Secondly, it's not rxvt-unicode's job to implement the security barrier
between e.g. the interwebs and your selection - if an app such as firefox
allows one to select text and then internally selects something else (as
firefox indeed does), then this is a security issue in the application
that can be tricked into putting text into the selection that the user
didn't select.

Third, even if bracketed paste mode would single out this sequence, it's
not a security feature, as the user has no feedback on whether this mode
is enabled, so cannot base her decision to paste on this mode. Advertising
bracketed paste mode as a security feature would trick users into unsafe
behaviour.

Lastly, guessing what is "safe" and what is "unsafe" in the terminal
emulator is the wrong place, as it can't know what the application
interprets. For example, the application might abort paste mode on other
sequences as well (such as ctrl-c). It's also very difficult to implement,
even if there was a list of what is to be filtered out, as the patch
shows, which doesn't manage to filter out sequences at internal borders, so
not giving the false impression that pasting is safe no matter what it
contains.

Therefore, I would suggest reassigning this to firefox or other
applications in Debian GNU/Linux that let you select one text visually,
but then offer a different text as the selection to other apps, as that is
indeed a security problem.

-- 
The choice of a   Deliantra, the free code+content MORPG
  -==- _GNU_  http://www.deliantra.net
  ==-- _   generation
  ---==---(_)__  __   __  Marc Lehmann
  --==---/ / _ \/ // /\ \/ /  schm...@schmorp.de
  -=/_/_//_/\_,_/ /_/\_\


-- 
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org

Bug#787628: Bracketed paste is unsafe

2015-06-17 Thread Marc Lehmann 
> Therefore, I would suggest reassigning this to firefox or other

As an additional fyi, firefox upstream bug
https://bugzilla.mozilla.org/show_bug.cgi?id=637895(*) is reasonably close
(as it is about the same problem).

(*) Thanks to Mikael (of zsh fame) for pointing this out.


-- 
The choice of a   Deliantra, the free code+content MORPG
  -==- _GNU_  http://www.deliantra.net
  ==-- _   generation
  ---==---(_)__  __   __  Marc Lehmann
  --==---/ / _ \/ // /\ \/ /  schm...@schmorp.de
  -=/_/_//_/\_,_/ /_/\_\


-- 
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org

Bug#787628: Bracketed paste is unsafe

2015-06-03 Thread Yuri D'Elia 
Package: rxvt-unicode
Version: 9.21-1
Severity: important
Tags: security upstream patch

This is not really news as this is an age-old attack with low impact:
rxvt-unicode does not filter end sequences when using bracketed paste mode. You
can try this by following this web page:

https://thejh.net/misc/website-terminal-copy-paste

and using the oh-my-zsh "safe-paste" plugin. Pasted data can escape the
bracketed mode, which might result in unsafe input.

This is confirmed by fetching urxvt source and seeing the definition of
rxvt_term::tt_paste in screen.C.

Patch attached.

-- System Information:
Debian Release: stretch/sid
  APT prefers unstable
  APT policy: (900, 'unstable'), (800, 'experimental')
Architecture: amd64 (x86_64)

Kernel: Linux 4.0.0-1-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

Versions of packages rxvt-unicode-256color depends on:
ii  base-passwd   3.5.37
ii  libc6 2.19-18
ii  libfontconfig12.11.0-6.3
ii  libfreetype6  2.5.2-4
ii  libgcc1   1:5.1.1-8
ii  libgdk-pixbuf2.0-02.31.4-2
ii  libglib2.0-0  2.44.1-1
ii  libperl5.20   5.20.2-6
ii  libstartup-notification0  0.12-4
ii  libx11-6  2:1.6.3-1
ii  libxft2   2.3.2-1
ii  libxrender1   1:0.9.8-1+b1
ii  ncurses-term  5.9+20150516-2

Versions of packages rxvt-unicode-256color recommends:
ii  fonts-vlgothic [fonts-japanese-gothic]  20141206-1
pn  ttf-dejavu  

rxvt-unicode-256color suggests no packages.
--- src/screen.C.Orig	2015-06-03 14:56:51.698258870 +0200
+++ src/screen.C	2015-06-03 15:51:27.213488209 +0200
@@ -2706,8 +2706,17 @@
   data[i] = C0_CR;
 
   if (priv_modes & PrivMode_BracketPaste)
+  {
 tt_printf ("\x1b[200~");
 
+/* filter end sequence from the input data */
+while (char* p = (char*)memmem (data, len, "\x1b[201~", 6))
+{
+  len -= 6;
+  memmove (p, (p + 6), len - (p - data));
+}
+  }
+
   tt_write (data, len);
 
   if (priv_modes & PrivMode_BracketPaste)