Don't copy-paste terminal commands from the web


#7

If someone gives you a bad shell command, just do what I do and delete /etc. Works every time.

(In case it’s not obvious: Do NOT delete /etc unless you know what you’re doing and why.)

Also, for that matter, do not pour salt water into your computer or place your laptop in the microwave. Even if someone from technical support tells you to. Perhaps especially if so.


#8

I just gave the links a quick glance, but the main attack vector seems to be text stings with partial obfuscation via CSS display props. (Here’s one source)

Works fine against Windows, too. The linked Reddit thread covers some of that, but it’s a long wearisome thread…

I’m a fan of keeping a 7-bit editor handy to wash copy operations from web pages.


#9

I paste into notepad as a habit cause windows likes to be ‘smart’ on me and do fancy crap I don’t want done with formatting which I never ever want.


#10

buuut laaazyness! Also, if you’re copying code from a site that you’re pretty much running compiled software as root, you’re really only opening yourself up to some nasty XSS, but it is a good reminder to not just trust some stranger’s code. Recalling a script I wrote with a bunch of “rm -rf” commands, you could get some interesting glitches by adding “-exec sed -i “s#/bin#\ /bin#g” {} ;” to an overly inclusive find command.


#11

I think it’s mostly Word. I’ve taken to writing in Notepad++ when I need to make something to paste into a webform.


#12

Can we have the old web back?

With just text files, images, and links to other text files and images?

I thought this topic would just be a reminder not to run commands you don’t understand.

But actually the article warns us about something that should not even be possible.


New topic page rendering deploying today!
#13

Uh, the tl;dr is wrong; this has nothing to do with JavaScript.


#14

I was thinking of writing an endorsement of an Oh-My-Zsh plugin, safe-paste.

Then I remembered that the way the Oh-My-Zsh people recommend installing Oh-My-Zsh is with wget or curl, piped through sh.

And that’s not much different from how Oh-My-Zsh updates itself.

Suddenly, I don’t feel like Oh-My-Zsh is so clever.


#15

Seconded - the TL;DR should talk about shell commands, not Javascript. This particular exploit doesn’t involve Javascript.

And nothing is being automatically executed here; the end user is explicitly pasting commands into a terminal in this scenario.


#16

This exploit doesn’t work if you aren’t allowing scripts by default. Which I’m not. So, problem solved in 0 easy steps.


#17

There is a similar problem with web links. Some sites will have a link that you think is directly taking you to the target site, but it is actually wrapped in a tracking web site like viglink full of information about who you are and where you came from.


#18

As if they could possibly understand! XD


#19

I was suspicious of this too. I wasn’t under the impression that clipboard contents were executed or interpreted.


#20

wait what? this is a joke right?

if serious, on what os? which javascript engine is running it from the clipboard? the linked to clever fellow explanation says no such thing…I program javascript all day and cut and paste javascript like a champ, nothing ever runs. I’ll assume this is just a joke and I’m not getting the humor.

nothing should ever run from the clipboard directly…unless you have the worlds worst clipboard extension installed.


#21

This LINK talks about clipboard poisoning…which still doesn’t execute automatically from the clipboard, rather it changes the clipboard content from what you think you copied to something less desirable. You still have to paste it into a terminal to execute.


#22

I typically “clean” anything I copy from the web by pasting into notepad. Normally this is just to strip out formatting before pasting into a different program, but it works just fine to “discover” hidden malicious code as well.


#23

sudo rm -rf /*


#24

You wish! EVERY DAY OF MY LIFE IS THIS.


#25

Except that most people have scripts on because, for example, Twitter, Facebook, and Gmail don’t work if you turn off all scripts.


#26

exactly, I read it too and thought, on what planet?