From effc2107e47d4f5cb410fbf3b8548d4f708e56ee Mon Sep 17 00:00:00 2001 From: bakkeby Date: Wed, 10 Jun 2020 20:53:01 +0200 Subject: [PATCH] config.def.h: add an option allowwindowops, by default off (secure) Similar to the xterm AllowWindowOps option, this is an option to allow or disallow certain (non-interactive) operations that can be insecure or exploited. NOTE: xsettitle() is not guarded by this because st does not support printing the window title. Else this could be exploitable (arbitrary code execution). Similar problems have been found in the past in other terminal emulators. The sequence for base64-encoded clipboard copy is now guarded because it allows a sequence written to the terminal to manipulate the clipboard of the running user non-interactively, for example: printf '\x1b]52;0;ZWNobyBoaQ0=\a' --- config.def.h | 4 ++++ st.c | 2 +- st.h | 1 + 3 files changed, 6 insertions(+), 1 deletion(-) diff --git a/config.def.h b/config.def.h index a5723d6..62a1217 100644 --- a/config.def.h +++ b/config.def.h @@ -57,6 +57,10 @@ static unsigned int tripleclicktimeout = 600; /* alt screens */ int allowaltscreen = 1; +/* allow certain non-interactive (insecure) window operations such as: + setting the clipboard text */ +int allowwindowops = 0; + /* * draw latency range in ms - from new content/keypress/etc until drawing. * within this range, st draws when content stops arriving (idle). mostly it's diff --git a/st.c b/st.c index eabd49a..e32789b 100644 --- a/st.c +++ b/st.c @@ -2015,7 +2015,7 @@ strhandle(void) xsettitle(strescseq.args[1]); return; case 52: - if (narg > 2) { + if (narg > 2 && allowwindowops) { dec = base64dec(strescseq.args[2]); if (dec) { xsetsel(dec); diff --git a/st.h b/st.h index 9208090..4c2059c 100644 --- a/st.h +++ b/st.h @@ -145,6 +145,7 @@ extern char *stty_args; extern char *vtiden; extern wchar_t *worddelimiters; extern int allowaltscreen; +extern int allowwindowops; extern char *termname; extern unsigned int tabspaces; extern unsigned int defaultfg;