triggers configuration: securely pass capture group
10 views
Skip to first unread message
Franklin Yu
Oct 30, 2022, 7:48:14 PM10/30/22
to iterm2-discuss
Hi folks,
This is a question about iTerm2 triggers. I noticed that iTerm2 can be configured to run any command upon a trigger. I would like to pass one of the captured groups as a command argument, but I’m concerned about security here. Do I understand correctly that iTerm2 will assemble the entire string (including string interpolation) before sending it to a shell? In other words, would my-command "\(matches[1])" with insecure matches lead to my machine being compromised?
Regards,
Franklin
This is a question about iTerm2 triggers. I noticed that iTerm2 can be configured to run any command upon a trigger. I would like to pass one of the captured groups as a command argument, but I’m concerned about security here. Do I understand correctly that iTerm2 will assemble the entire string (including string interpolation) before sending it to a shell? In other words, would my-command "\(matches[1])" with insecure matches lead to my machine being compromised?
Regards,
Franklin
George Nachman
Nov 1, 2022, 8:47:06 PM11/1/22
to iterm2-...@googlegroups.com
I wouldn’t recommend using a trigger like that when your adversary controls the input. You are correct that it could lead to problems.
--
You received this message because you are subscribed to the Google Groups "iterm2-discuss" group.
To unsubscribe from this group and stop receiving emails from it, send an email to iterm2-discus...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/iterm2-discuss/c2f3aa75-4021-4a7f-bf08-68db5d78111fn%40googlegroups.com.
Reply all
Reply to author
Forward
0 new messages