Don’t Copy-Paste Directly from Website to Terminal

Good reminder and discussion on Hacker News about the danger of copy-paste from a website into terminal.

When copying from a website it is easy for hidden text to be included in the clipboard. If you paste that into terminal it can be executed before you see the code. Including new line commands in the copied text will automatically execute the commands (in most terminal applications).

The best solution is to paste the clipboard content into something to view the text before pasting into clipboard. The best way is probably to recopy it. I use this double copy method to get rid of formatting I don’t want (when the clipboard includes things like font styling info you don’t want – not relavent when pasting into terminal but the pasting [into say vim, which won’t include the extra formatting details] and recopying part is similar). It may be possible to have text hidden (write it in a way where it won’t show up on the screen but is in the clipboard – using some tricky unicode characters or something).

Some people put # before pasting into clipboard but that only protects the first “line.” Any new lines could still be run without you seeing them.

The discussion warns against a malicious website intentionally creating a problem but if you paste in multiple lines there is also just the danger from the lines executing immediately when you wanted to edit the line before it was executed.

Related: Customizing the Command Prompt for TerminalBash Profile Adjustments, Scrolling HistoryAdding a Key to Your Server for SSH Login

2 thoughts on “Don’t Copy-Paste Directly from Website to Terminal

  1. I just learned of this danger today and it’s scaring the crap out of me. When I think of the few times I’ve copied code from a developer’s site to add a ppa or download a utility, the thought that what actually was executed in terminal leaves a feeling of dread.

    So, I’m left with two things. To remove any doubts I may have about getting pwned, I’ve got to start from scratch – a clean OS install, re-install all programs, import (after screening) my home folder. Big ouch, and very tedious.

    Second, any temptation to copy-paste, the code is going to be filtered first through a text editor (unless they’re now susceptible as well.)

    cheers – not. crap.

  2. Pingback: Locking and Unlocking a User in Ubuntu | Coding and Server Syntax Examples

Comments are closed.