Debian Bug report logs - #637001
allow xterm to run a user-specified command on some event (e.g. to open a URL)

version graph

Package: xterm; Maintainer for xterm is Debian X Strike Force <debian-x@lists.debian.org>; Source for xterm is src:xterm.

Reported by: Vincent Lefevre <vincent@vinc17.net>

Date: Sun, 7 Aug 2011 16:57:02 UTC

Severity: wishlist

Tags: fixed-upstream

Found in version xterm/271-1

Fixed in version xterm/278-1

Done: Julien Cristau <jcristau@debian.org>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, Debian X Strike Force <debian-x@lists.debian.org>:
Bug#637001; Package xterm. (Sun, 07 Aug 2011 16:57:04 GMT) Full text and rfc822 format available.

Acknowledgement sent to Vincent Lefevre <vincent@vinc17.net>:
New Bug report received and forwarded. Copy sent to Debian X Strike Force <debian-x@lists.debian.org>. (Sun, 07 Aug 2011 16:57:05 GMT) Full text and rfc822 format available.

Message #5 received at submit@bugs.debian.org (full text, mbox):

From: Vincent Lefevre <vincent@vinc17.net>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: allow xterm to run a user-specified command on some event (e.g. to open a URL)
Date: Sun, 7 Aug 2011 18:53:33 +0200
Package: xterm
Version: 271-1
Severity: wishlist

xterm should have a way to run a user-specified shell command
on some event. For instance, xterm could define a new action
run-command(command [, ...?]). The command would get context
information, either as an argument or in standard input, such
as what is under the mouse pointer (so that the user doesn't
need to make a selection first).

The context could be some string (possibly including newline
characters) matching a user-specified regexp; that would be
sufficient for URL's. But getting color/attribute information
too might also be useful.

-- System Information:
Debian Release: wheezy/sid
  APT prefers unstable
  APT policy: (500, 'unstable'), (500, 'testing'), (500, 'stable'), (1, 'experimental')
Architecture: amd64 (x86_64)

Kernel: Linux 3.0.0-1-amd64 (SMP w/2 CPU cores)
Locale: LANG=POSIX, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

Versions of packages xterm depends on:
ii  libc6                         2.13-14    Embedded GNU C Library: Shared lib
ii  libfontconfig1                2.8.0-3    generic font configuration library
ii  libice6                       2:1.0.7-2  X11 Inter-Client Exchange library
ii  libncurses5                   5.9-1      shared libraries for terminal hand
ii  libutempter0                  1.1.5-4    A privileged helper for utmp/wtmp 
ii  libx11-6                      2:1.4.4-1  X11 client-side library
ii  libxaw7                       2:1.0.9-2  X11 Athena Widget library
ii  libxft2                       2.2.0-3    FreeType-based font drawing librar
ii  libxmu6                       2:1.1.0-2  X11 miscellaneous utility library
ii  libxt6                        1:1.1.1-2  X11 toolkit intrinsics library
ii  xbitmaps                      1.1.1-1    Base X bitmaps

Versions of packages xterm recommends:
ii  x11-utils                     7.6+3      X11 utilities

Versions of packages xterm suggests:
pn  xfonts-cyrillic               <none>     (no description available)

-- no debconf information




Information forwarded to debian-bugs-dist@lists.debian.org, Debian X Strike Force <debian-x@lists.debian.org>:
Bug#637001; Package xterm. (Sun, 07 Aug 2011 17:27:06 GMT) Full text and rfc822 format available.

Acknowledgement sent to Thomas Dickey <dickey@his.com>:
Extra info received and forwarded to list. Copy sent to Debian X Strike Force <debian-x@lists.debian.org>. (Sun, 07 Aug 2011 17:27:06 GMT) Full text and rfc822 format available.

Message #10 received at 637001@bugs.debian.org (full text, mbox):

From: Thomas Dickey <dickey@his.com>
To: Vincent Lefevre <vincent@vinc17.net>, 637001@bugs.debian.org
Cc: Debian X Strike Force <debian-x@lists.debian.org>
Subject: Re: Bug#637001: allow xterm to run a user-specified command on some event (e.g. to open a URL)
Date: Sun, 7 Aug 2011 13:11:50 -0400 (EDT)
On Sun, 7 Aug 2011, Vincent Lefevre wrote:

> Package: xterm
> Version: 271-1
> Severity: wishlist
>
> xterm should have a way to run a user-specified shell command
> on some event. For instance, xterm could define a new action
> run-command(command [, ...?]). The command would get context
> information, either as an argument or in standard input, such
> as what is under the mouse pointer (so that the user doesn't
> need to make a selection first).

That's off in that gray area where (disregarding the double standards 
applied to gnome-terminal, konsole, etc), the security team is likely to 
limit or suppress the feature.  Lacking some discussion with those people, 
yes it's a simple feature, but not certain you'd get it in Debian.

-- 
Thomas E. Dickey
http://invisible-island.net
ftp://invisible-island.net




Information forwarded to debian-bugs-dist@lists.debian.org, Debian X Strike Force <debian-x@lists.debian.org>:
Bug#637001; Package xterm. (Mon, 08 Aug 2011 00:03:03 GMT) Full text and rfc822 format available.

Acknowledgement sent to Vincent Lefevre <vincent@vinc17.net>:
Extra info received and forwarded to list. Copy sent to Debian X Strike Force <debian-x@lists.debian.org>. (Mon, 08 Aug 2011 00:03:04 GMT) Full text and rfc822 format available.

Message #15 received at 637001@bugs.debian.org (full text, mbox):

From: Vincent Lefevre <vincent@vinc17.net>
To: Thomas Dickey <dickey@his.com>
Cc: 637001@bugs.debian.org, Debian X Strike Force <debian-x@lists.debian.org>
Subject: Re: Bug#637001: allow xterm to run a user-specified command on some event (e.g. to open a URL)
Date: Mon, 8 Aug 2011 01:55:28 +0200
On 2011-08-07 13:11:50 -0400, Thomas Dickey wrote:
> On Sun, 7 Aug 2011, Vincent Lefevre wrote:
> >xterm should have a way to run a user-specified shell command
> >on some event. For instance, xterm could define a new action
> >run-command(command [, ...?]). The command would get context
> >information, either as an argument or in standard input, such
> >as what is under the mouse pointer (so that the user doesn't
> >need to make a selection first).
> 
> That's off in that gray area where (disregarding the double standards
> applied to gnome-terminal, konsole, etc), the security team is likely to
> limit or suppress the feature.  Lacking some discussion with those people,
> yes it's a simple feature, but not certain you'd get it in Debian.

I don't see what security problem there could be. Note that the
command would be specified by the user, so that everything in under
his control. Only its argument or standard input would come from
the terminal, but it's up to the command to check its input, as
usual.

Of course the user must know what he's doing, but this is also true
when copy-pasting to a terminal with a shell (which can actually be
more dangerous as arbitrary commands can be run).

-- 
Vincent Lefèvre <vincent@vinc17.net> - Web: <http://www.vinc17.net/>
100% accessible validated (X)HTML - Blog: <http://www.vinc17.net/blog/>
Work: CR INRIA - computer arithmetic / Arénaire project (LIP, ENS-Lyon)




Information forwarded to debian-bugs-dist@lists.debian.org, Debian X Strike Force <debian-x@lists.debian.org>:
Bug#637001; Package xterm. (Tue, 09 Aug 2011 11:06:03 GMT) Full text and rfc822 format available.

Acknowledgement sent to Thomas Dickey <dickey@his.com>:
Extra info received and forwarded to list. Copy sent to Debian X Strike Force <debian-x@lists.debian.org>. (Tue, 09 Aug 2011 11:06:08 GMT) Full text and rfc822 format available.

Message #20 received at 637001@bugs.debian.org (full text, mbox):

From: Thomas Dickey <dickey@his.com>
To: Vincent Lefevre <vincent@vinc17.net>, 637001@bugs.debian.org
Subject: Re: Bug#637001: allow xterm to run a user-specified command on some event (e.g. to open a URL)
Date: Tue, 9 Aug 2011 07:00:32 -0400 (EDT)
On Mon, 8 Aug 2011, Vincent Lefevre wrote:

> On 2011-08-07 13:11:50 -0400, Thomas Dickey wrote:
>> On Sun, 7 Aug 2011, Vincent Lefevre wrote:
>>> xterm should have a way to run a user-specified shell command
>>> on some event. For instance, xterm could define a new action
>>> run-command(command [, ...?]). The command would get context
>>> information, either as an argument or in standard input, such
>>> as what is under the mouse pointer (so that the user doesn't
>>> need to make a selection first).
>>
>> That's off in that gray area where (disregarding the double standards
>> applied to gnome-terminal, konsole, etc), the security team is likely to
>> limit or suppress the feature.  Lacking some discussion with those people,
>> yes it's a simple feature, but not certain you'd get it in Debian.
>
> I don't see what security problem there could be. Note that the
> command would be specified by the user, so that everything in under
> his control. Only its argument or standard input would come from
> the terminal, but it's up to the command to check its input, as
> usual.

It falls into the same category as the other "allow" items - something 
where there's a potential for outsiders (e.g., send-events) to manipulate 
it.

-- 
Thomas E. Dickey
http://invisible-island.net
ftp://invisible-island.net




Information forwarded to debian-bugs-dist@lists.debian.org, Debian X Strike Force <debian-x@lists.debian.org>:
Bug#637001; Package xterm. (Tue, 09 Aug 2011 12:37:47 GMT) Full text and rfc822 format available.

Acknowledgement sent to Vincent Lefevre <vincent@vinc17.net>:
Extra info received and forwarded to list. Copy sent to Debian X Strike Force <debian-x@lists.debian.org>. (Tue, 09 Aug 2011 12:38:11 GMT) Full text and rfc822 format available.

Message #25 received at 637001@bugs.debian.org (full text, mbox):

From: Vincent Lefevre <vincent@vinc17.net>
To: Thomas Dickey <dickey@his.com>
Cc: 637001@bugs.debian.org
Subject: Re: Bug#637001: allow xterm to run a user-specified command on some event (e.g. to open a URL)
Date: Tue, 9 Aug 2011 14:34:55 +0200
On 2011-08-09 07:00:32 -0400, Thomas Dickey wrote:
> It falls into the same category as the other "allow" items -
> something where there's a potential for outsiders (e.g.,
> send-events) to manipulate it.

Not really. Events sent by process output to the terminal should
be disabled, whether or not the run-command is implemented. As
I've said, a middle-click (which does a paste) is already dangerous
enough.

What I'm saying is that

  Meta <Btn1Up>: run-command(...)

wouldn't be more dangerous than the standard

  ~Ctrl ~Meta <Btn2Up>: insert-selection(SELECT, CUT_BUFFER0)

if the command itself doesn't contain a security hole.

-- 
Vincent Lefèvre <vincent@vinc17.net> - Web: <http://www.vinc17.net/>
100% accessible validated (X)HTML - Blog: <http://www.vinc17.net/blog/>
Work: CR INRIA - computer arithmetic / Arénaire project (LIP, ENS-Lyon)




Information forwarded to debian-bugs-dist@lists.debian.org, Debian X Strike Force <debian-x@lists.debian.org>:
Bug#637001; Package xterm. (Sun, 08 Jan 2012 14:48:05 GMT) Full text and rfc822 format available.

Acknowledgement sent to dickey@his.com:
Extra info received and forwarded to list. Copy sent to Debian X Strike Force <debian-x@lists.debian.org>. (Sun, 08 Jan 2012 14:48:05 GMT) Full text and rfc822 format available.

Message #30 received at 637001@bugs.debian.org (full text, mbox):

From: Thomas Dickey <dickey@his.com>
To: 637001@bugs.debian.org
Cc: 637001-submitter@bugs.debian.org
Subject: re: #637001 allow xterm to run a user-specified command on some event (e.g. to open a URL)
Date: Sun, 08 Jan 2012 09:46:30 -0500
[Message part 1 (text/plain, inline)]
this is addressed in #277

-- 
Thomas E. Dickey <dickey@invisible-island.net>
http://invisible-island.net
ftp://invisible-island.net
[signature.asc (application/pgp-signature, inline)]

Message sent on to Vincent Lefevre <vincent@vinc17.net>:
Bug#637001. (Sun, 08 Jan 2012 14:48:17 GMT) Full text and rfc822 format available.

Added tag(s) fixed-upstream. Request was from Thomas Dickey <dickey@his.com> to control@bugs.debian.org. (Sun, 08 Jan 2012 14:48:18 GMT) Full text and rfc822 format available.

Reply sent to Julien Cristau <jcristau@debian.org>:
You have taken responsibility. (Mon, 09 Apr 2012 21:03:09 GMT) Full text and rfc822 format available.

Notification sent to Vincent Lefevre <vincent@vinc17.net>:
Bug acknowledged by developer. (Mon, 09 Apr 2012 21:03:10 GMT) Full text and rfc822 format available.

Message #40 received at 637001-close@bugs.debian.org (full text, mbox):

From: Julien Cristau <jcristau@debian.org>
To: 637001-close@bugs.debian.org
Subject: Bug#637001: fixed in xterm 278-1
Date: Mon, 09 Apr 2012 20:59:16 +0000
Source: xterm
Source-Version: 278-1

We believe that the bug you reported is fixed in the latest version of
xterm, which is due to be installed in the Debian FTP archive:

xterm_278-1.diff.gz
  to main/x/xterm/xterm_278-1.diff.gz
xterm_278-1.dsc
  to main/x/xterm/xterm_278-1.dsc
xterm_278-1_amd64.deb
  to main/x/xterm/xterm_278-1_amd64.deb
xterm_278.orig.tar.gz
  to main/x/xterm/xterm_278.orig.tar.gz



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 637001@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Julien Cristau <jcristau@debian.org> (supplier of updated xterm package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Mon, 09 Apr 2012 21:45:01 +0200
Source: xterm
Binary: xterm
Architecture: source amd64
Version: 278-1
Distribution: unstable
Urgency: low
Maintainer: Debian X Strike Force <debian-x@lists.debian.org>
Changed-By: Julien Cristau <jcristau@debian.org>
Description: 
 xterm      - X terminal emulator
Closes: 637001 650291 652907
Changes: 
 xterm (278-1) unstable; urgency=low
 .
   * New upstream release
     - move call to grantpt before asking utempter to add a record, to work
       with kFreeBSD which does not update the terminal's ownership until this
       point (closes: #652907)
     - document limitation of XIM interface in manpage (see #230787)
     - add four new actions for making the selection or data directly copied
       from the screen: exec-formatted, exec-selectable, insert-formatted,
       insert-selectable (closes: #637001)
     - add eightBitMeta resource to control the features which modify or
       interpret the eighth bit of a key when the meta modifier key is pressed
       (prompted by #326200)
     - improve discussion of eightBitInput in the manpage (prompted by #326200)
     - add a workaround for XAllocColor(), which does not actually allocate "a
       read-only colormap entry corresponding to the closest RGB value
       supported by the hardware", but rather a rough approximation (closes:
       #650291)
   * Update copy of XTerm FAQ to revision 1.180 (dated 2012/02/06).
Checksums-Sha1: 
 b2dc544b8c3244e3b7fc6b14db027d63bd02ac59 2016 xterm_278-1.dsc
 753ad19e1a0979e875eb2dc2db60f1fb270486ee 996716 xterm_278.orig.tar.gz
 632e796eac208cf0fccd07b422da23d121f08e11 92766 xterm_278-1.diff.gz
 6f57681302794404c9c8560e6c2c7ddbbb62c456 599146 xterm_278-1_amd64.deb
Checksums-Sha256: 
 03e624b8e983db6ae9df8c22accd2021e4390c9bf323056955e86690a1e69b42 2016 xterm_278-1.dsc
 1372f9afe07bc35bfd47482db146c649223dadd0b472da31f8c337ab37f90585 996716 xterm_278.orig.tar.gz
 05ebeb2dfef593d87f63fd257936ee25a9aa692f00a87246d4aecf28c819b7fd 92766 xterm_278-1.diff.gz
 3cba17cfe99e860f2dd4e5bfc77173ec2cbd4c9e91f9faeb148ea687b0823754 599146 xterm_278-1_amd64.deb
Files: 
 413017d47d8391112fc8787aa74074c1 2016 x11 optional xterm_278-1.dsc
 3eeddfe35cb0a2db1924cfe0c20be443 996716 x11 optional xterm_278.orig.tar.gz
 cd7956a8fc5f61fdfb5cec006d75cac8 92766 x11 optional xterm_278-1.diff.gz
 d2c714d20cfb7dc856e4c58b303b7235 599146 x11 optional xterm_278-1_amd64.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)

iQIcBAEBCAAGBQJPg0AqAAoJEDEBgAUJBeQM7XIP/01A5J0Kuw5qk6nOFSDdst2g
x/I7YcmIEYnRe8rnbcydqETS/Q3Df8VZvJ0WXW71V91GlZwekDZAAQQp4ImTYt/J
Mjak1+gQhJvmE/5Owpp2WJaQ/YQGR5IJmAqDI8143gnmqOsAHRFjY2JLb/I1twM9
ehZsmg6JrN6BPPl5qaMU6mlJhq1doa+3Q8nKf3E1MaqunMKCHD+fKwcUvVtGXujx
UDlap8cRyxRZjYA0D3kJxxSlJBXqjdOj/LR7GVEmM3Wlv1YfI3DHlaoguJqP/wgH
KlZpQCNRtTrGKPEOBtxPE56iAwVQW0G+D/ls/zVb2TFTHRdW+7Tiw4A0G3aanFJN
CA0CKe9ff9c1pmsGERXbXFLOdS0NwDWdHIyVSPTNtyd5F22UpsHUCVyeqguzZQgF
vyKGQdSBwFT9GPGyHaQWyHQz6+zWYVMJzAFZKo+yv/F5TLKZEbfFH+aun2BS0K3V
Al8xyNSs5FnftG299fekHnaPVo6vXrOlq0zXyrIkeRm1hfur0uPCjt0B+NAOcPb3
+IFvPNHJh3c/rm6IJaIsfT9/XyeXqCB0YO1SdZvqFVxUgSDnCIbdlOhG0gCsem+g
S8WNTmJG5YAFLlZWZ6mCZdY0yHUuMu5ACNod/7sGtsZRQqottfnFvVlP7qDiYWfM
4AzIKjkbN/NKGr5BcOAd
=Ki1a
-----END PGP SIGNATURE-----





Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Fri, 18 May 2012 07:33:35 GMT) Full text and rfc822 format available.

Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Wed Apr 16 23:20:37 2014; Machine Name: beach.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.