Shell script autorun paired with Google Chrome will cause unwary or unlucky users to compromise their machine
Thanks for filing an issue! Please answer the questions below so I can help you.
- iTerm2 version: 3.2.0
- OS version: 10.12.6com.googlecode.iterm2.plist
- Attach ~/Library/Preferences/com.googlecode.iterm2.plist here (drag-drop from finder into this window)
- Attach a debug log, if possible. Instructions at https://iterm2.com/debuglog
- Are you reporting a performance issue or a hang? Please attach a sample. Instructions at https://gitlab.com/gnachman/iterm2/wikis/HowToSample
- Are you reporting a crash? Please attach the crash log. Instructions at https://gitlab.com/gnachman/iterm2/wikis/crash-logs
- Are you reporting excessive memory usage? Please attach a heap analysis: https://gitlab.com/gnachman/iterm2/wikis/heapshot
Detailed steps to reproduce the problem:
- Download a shell script (
.sh
was tested) in Google Chrome - Click the shell script (or in some cases you will not need to click the file)
- The file will automatically open a new terminal and run
What happened:
Autorun is a dangerous feature. If you follow the wrong hyperlink and then incidentally click the shell script, you've just inadvertently compromised your machine.
What should have happened:
A prompt that a shell script is about to run, or alternatively do not grab autorun for any shell scripts in the future.
Edited by Trent Robbins