[simgidacav]

> Commandline snippet poisoning

Really? So would you blindly copy-paste things into your shell? Then I don't need to hijack your connections, I just put malicious pastes on the website.

If you are moron enough to copy-paste the first thing you find, you are probably not reading the other users' warnings about "this answer is wrong".

[Lazare]

The attack mentioned is to change the text when you go to copy it; that will get even people who carefully read every forum post before copying and pasting.

How many people review the snippet, copy, paste it into a text editor, re-review it, copy it, and then paste it into their shell?

[andrewaylett]

Ctrl-X Ctrl-E in bash will open an editor for the current command, which is executed when the editor is exited. After the potential for exploit was publicised a few months ago, I use this every time and it's really not much more effort than just pasting into the shell. As a bonus, it means I don't have to worry about embedded newlines stopping me from tweaking the command before running it.

[TheJH_]

You can embed \x1b (escape) into a webpage. When you copy-and-paste that, it has the same effect as hitting ESC in the editor. So, I'd just have to make you copy "<evil command>#\x1b:wq\n" to also catch the case that you're using vim instead of directly pasting. However, I can't figure out a way to escape from nano.

(Tested it with the combination chromium+xterm+vim.)

[simgidacav]

I deem your point good. I didn't realize it entirely.

Still, since when I run GNU/Linux I never pasted a command line from a website into my terminal. This is just reckless. Borderline case, I understand what the example is showing me and then I apply.