I came across this one day when pasting commands into my terminal on Linux only to find the value I had pasted had some strange characters in-front of it and after it. In my case the pasted text was prefixed with ‘00~’ and suffixed with ‘01~’, looking like this:
00~Text pasted in01~
In my research I found others reporting something similar with a single numerical digit i.e. ‘0~Text pasted in1~’. In some other cases like this ‘\e[200~Text pasted in\e[201~’ which appears to include an escape character sequence ‘\e[2’ ahead of the bits that show up in the terminal after the paste operation.
Initially it was irritating as I’d have to close and re-open my terminal window to clear the problem prior to finding out what was causing it. I later discovered this page about bracketed paste mode by Conrad Irwin which explained more about what’s going on.
To disable this behaviour type in and execute the following in your terminal: printf "\e[?2004l"
So what is bracketed paste mode? It’s a terminal mode programs can enable and disable with escape codes like the one above used for disabling the mode. When enabled the terminal wraps any pasted text in the aforementioned characters, allowing programs to decipher whether the input they are receiving was typed in or pasted, to which they can react differently if so desired.
An example use of such a feature (as mentioned in Conrad Irwin’s article) would be to ensure pasted text was prevented from executing until you press the <kbd>enter</kbd> key. Thereby giving you time to look over what you’ve typed before executing it.
This leads to the bigger lesson, we’re all often a bit lazy, especially when it comes to long commands with lots of arguments or multiple commands across several lines, and we all too often copy and paste them straight into the terminal without much care. Sometimes this means we accidentally copy invisible trailing newline character(s) which means the pasted text executes immediately which could be undesirable or bad if we needed to tweak some argument.
Worse still is the possibility that unscrupulous people could craft malicious text that looks innocent in a web browser, but which includes hidden text, visually hidden or moved off canvas using CSS. When pasted into the terminal it runs a sequence of commands that you weren’t expecting, perhaps even obscuring the output of these commands by piping their output to /dev/null, followed by the command you were expecting. Meanwhile unbeknown to yourself they may have added a user to your system for themselves and opened a port on your firewall through which to access your computer, easily done if you have password-less access to sudo. See here for a slightly less dangerous proof of concept.
So the lesson to be learnt here is like the slogan from the X-Files TV Series: ‘trust no one’. Instead perhaps copy and paste the stuff you want to use into a very simple (dumb) text editor (i.e. not vim or emacs which have shell access and makes use of escape character sequences) not capable of displaying non-printable characters, before pasting into the terminal. Alternatively you could use a clipboard manager to inspect what’s in the clipboard buffer prior to pasting.
Further reading resources:
https://security.stackexchange.com/questions/39118/how-can-i-protect-myself-from-this-kind-of-clipboard-abuse