config.def.h: add an option allowwindowops, by default off (secure)
authorHiltjo Posthuma <hiltjo@codemadness.org>
Sat, 30 May 2020 19:56:18 +0000 (21:56 +0200)
committerHiltjo Posthuma <hiltjo@codemadness.org>
Sat, 30 May 2020 20:06:15 +0000 (22:06 +0200)
Similar to the xterm AllowWindowOps option, this is an option to allow or
disallow certain (non-interactive) operations that can be insecure or
exploited.

NOTE: xsettitle() is not guarded by this because st does not support printing
the window title. Else this could be exploitable (arbitrary code execution).
Similar problems have been found in the past in other terminal emulators.

The sequence for base64-encoded clipboard copy is now guarded because it allows
a sequence written to the terminal to manipulate the clipboard of the running
user non-interactively, for example:

printf '\x1b]52;0;ZWNobyBoaQ0=\a'

config.def.h
st.c
st.h

index 293e00c4284d411fd80bbe9a1f3cd437068a57bd..6f05dce6aaec83db925b9ec9af40284b4bf13fd7 100644 (file)
@@ -43,6 +43,10 @@ static unsigned int tripleclicktimeout = 600;
 /* alt screens */
 int allowaltscreen = 1;
 
+/* allow certain non-interactive (insecure) window operations such as:
+   setting the clipboard text */
+int allowwindowops = 0;
+
 /*
  * draw latency range in ms - from new content/keypress/etc until drawing.
  * within this range, st draws when content stops arriving (idle). mostly it's
diff --git a/st.c b/st.c
index 2d901ab66e2436c95906d5edeb77ee05e7ae5058..ef8abd5d04928739f2bb4004e26b6c82da8098b6 100644 (file)
--- a/st.c
+++ b/st.c
@@ -1861,7 +1861,7 @@ strhandle(void)
                                xsettitle(strescseq.args[1]);
                        return;
                case 52:
-                       if (narg > 2) {
+                       if (narg > 2 && allowwindowops) {
                                dec = base64dec(strescseq.args[2]);
                                if (dec) {
                                        xsetsel(dec);
diff --git a/st.h b/st.h
index d978458425934fa1db8c5c03a62c917e244d8933..3d351b69ea3746bf80de58a1ce1a2b2a4dc30ba5 100644 (file)
--- a/st.h
+++ b/st.h
@@ -118,6 +118,7 @@ extern char *stty_args;
 extern char *vtiden;
 extern wchar_t *worddelimiters;
 extern int allowaltscreen;
+extern int allowwindowops;
 extern char *termname;
 extern unsigned int tabspaces;
 extern unsigned int defaultfg;