神刀安全网

Pastejacking prevention using urxvt, tmux and vim

Try to insert following text into your fully configured vim using Shift-Insert :

{     {         {             # madness!         }     } } 

Then, compare with following gif.

Pastejacking prevention using urxvt, tmux and vim

You can use Shift+Insert now

How many times you do following sequence in vim?

<C-O>"*p 

Or, if you smart one, this one?

<C-R>* 

However, remote vim leaves you no choice.

:set paste <S-Insert> :set nopaste 

urxvt-vim-insert into the rescue

Just install this urxvt perl plugin, restart urxvt and all following Shift-Inserts will paste text as it expected to be done in XXI century.

It will also work onto remote server vim. Waow.

What’s difference with "bracketed paste?"

"Bracketed paste" requires plugin for vim and intended for pasting in vim only.

urxvt-vim-insert is a plugin for terminal and redirects any paste to the new vim session, which can be used for the remote sessions as well. E.g., you can safely paste multiline text directly into remote unconfigured vim and it will work nice.

urxvt-vim-insert can be used for pasting multiline text in local or remote shell.

urxvt-vim-insert requires no vim/shell configuration whatsoever.

How about pasting multiline text directly into the shell?

Seen this site?

http://thejh.net/misc/website-terminal-copy-paste

Your browser will happily copy any hidden text into clipboard, and guess what happens if you paste some hidden text that contains rm -rf /usr/ into terminal on the production server? :peach:

Hopefully, there is a solution.

:tada: TADA! :tada:

Pastejacking prevention using urxvt, tmux and vim

Also, you need to specify program, that will be used to edit clipboard and send result back.

This command is specified via URxvt.safe-paste.command param. See more in the next section.

For example, I’m using setup with urxvt+tmux+vim, so my safe-paste command is:

URxvt.safe-paste.command: vim-safe-paste 

vim-safe-paste :

tmux_pid=$(pgrep -P$1 tmux) session_name=$(grep -zFxA1 -- '-s' < /proc/$tmux_pid/cmdline | cut -b3-)  tmux neww -t $session_name "$(cat <<EOF     $EDITOR $2;     tmux loadb $2 /; pasteb -t $session_name:-1 ;     rm $2 ; EOF )"

Little bit complicated (due stupid tmux API). When I will press Shift+Insert to paste something not into vim and clipboard contains more than one line, it will popup new vim instance with clipboard contents, so I can edit it before pasting.

Result of using that simple script can be seen on the gif above.

URxvt.safe-paste.command

This parameter is mandatory and should point on the executable, that will be launched by urxvt synchronously , so it should fork to not to hang your terminal.

That executable will get two parameters:

  • urxvt PID for the first parameter ( $1 ).
  • temporary file name with current clipboard contents as it’s second parameter ( $2 ). This file should be removed by executable when editing is complete.

Installation

Under archlinux, just install package from AUR .

Under any other distro, just copyvim-insert into rxvt-unicode extensions directory.

Then, add vim-insert at the end of the URxvt.perl-ext-common list:

URxvt.perl-ext-common: …,vim-insert

Integration

This plugin plays nice with other things:

  • marvex, which is a terminal bookkeeper for tile window manager called i3.

  • mcabber-external-editor , which is a missing feature of editing multiline messages in mcabber.

    safe-paste.command script, located in the example/ directory is designed to work with marvex and mcabber-external-editor .

转载本站任何文章请注明:转载至神刀安全网,谢谢神刀安全网 » Pastejacking prevention using urxvt, tmux and vim

分享到:更多 ()

评论 抢沙发

  • 昵称 (必填)
  • 邮箱 (必填)
  • 网址