On 03/07/2017 05:05 PM, yary wrote:
On Tue, Mar 7, 2017 at 11:51 AM, ToddAndMargo <toddandma...@zoho.com
<mailto:toddandma...@zoho.com>> wrote:
I have it running perfectly with the sub I showed. Thank you for
the help!
I enjoy helping out and you've stuck through our suggestions in the
past. Stick through this thread, give us the benefit of the doubt, and
have a little more skepticism that this problem is "done." Please do
*run the example I gave before*. -- go ahead RUN IT-- sorry to shout but
this is an important lesson in security! There's a reason Timo & I have
been giving you examples, and that's because we are hoping to inspire an
"aha!" moment that will lead you to further discovery- better
understanding- and code that won't surprise you unpleasantly in the future.
-y
$ more YaryTest.pl6
#!/usr/bin/perl6
sub WriteSecondaryClipboard ( $Str ) { # <ctrl><c>
my $Cmd = "echo \"$Str\" | xclip -selection clipboard";
shell $Cmd;
}
WriteSecondaryClipboard('surprise"> AnotherBadFile.txt; ls -l A*.txt; #');
./YaryTest.pl6
-rw-r--r--. 1 tony users 9 Mar 7 22:19 AnotherBadFile.txt
more AnotherBadFile.txt
surprise
Hi Yary,
I do sincerely appreciate the help. Please don't mistake all my
questions as disregarding your advice.
Okay on the above. "So what?". One could use the above to
wreck havoc in their own area. It doesn't compromise the
root's account or the root's files (if permissioned appropriately).
I am not getting what the concern is about.
Are you saying that someone could go into a module, alter the code,
then catch a root level program calling the module and use it
to wreck havoc on a system?
You can do this is bash too:
$ ls -al /usr/bin/ls
-rwxr-xr-x. 1 root root 117656 Nov 4 10:23 /usr/bin/ls
But you notice that you have to be "root" to write to the sucker,
so there is no altering ls' code by a user. Tagging your
modules a root.root and 755 will do the same.
And, don't forget SELinux will keep you out of where you
are not suppose to go.
And, if you know how to write in Bash code, this compromise is
near meaningless. You have so, so many other things you can
wreck havoc on.
This guy's module
https://github.com/kmwallio/p6-OS-Clipboard
has the same "flaw" all over it as he is using a pipe and xclip.
Now the question arises, how does one write to the "clipboard"
(not the primary) without using a pipe or xclip?
I have looked around for the hooks into X11 for both clipboards
and am thoroughly confused. Looking at:
https://sourceforge.net/p/xclip/code/HEAD/tree/trunk/xclip.c
I haven't a clue what he is doing. (I have a hard time reading "C".)
A "C" guy also sent me how to do it in "C" and I don't know how to
do that either. It is a few hundred lines with things like:
<c code>
void copyTextToClipboard(BBX_Clipboard *clip, char *text)
{
if(clip->text)
free(clip->text);
clip->text = bbx_strdup(text);
XSetSelectionOwner(clip->dpy, XA_PRIMARY, clip->win, CurrentTime);
XSetSelectionOwner(clip->dpy, clip->atom_CLIPBOARD, clip->win,
CurrentTime);
}
</c code>
I can send your the whole thing, if you like.
Me personally, I'd rather go direct than use a "helper" application.
Be nice if there were a module already written for this.
Now this looks promising:
https://github.com/slobo/Perl6-X11-Xlib-Raw
But, then again, I don't know the hooks for both clipboards.
Don't suppose there is a "C" to "Perl 6" converter out there.
Thank you for all the help,
-T
For fun, in Linux, highlight some text and run the following:
<code>
#!/usr/bin/perl6
sub ReadPrimaryClipboard () # center click
{ return qx{ xclip -selection primary -o }.lines; }
print ReadPrimaryClipboard() ~ "\n";
</code>
--
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Computers are like air conditioners.
They malfunction when you open windows
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
