Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Date: Thu, 17 Sep 2015 12:33:28 -0430
From: Manuel Gómez <targen@...il.com>
To: oss-security@...ts.openwall.com
Subject: Re: s/party/hack like it's 1999

On Thu, Sep 17, 2015 at 11:33 AM,  <up201407890@...nos.dcc.fc.up.pt> wrote:
> Federico Bento <up201407890@...nos.dcc.fc.up.pt>
>
> […]
>
> As you can see, our beloved 'cat' cheated on us. Why?
> Because instead of displaying the character-sequence, the escape sequence
> \033[XA (being X the number of times) performed some action.
> And this action moves the cursor up X times, overwriting what is above it X
> lines.
> But this doesn't affect only 'cat', it affects everything that interprets
> escape sequences.
>
> [… examples with head, tail, more, curl, wget …]
>
> 'diff' also interprets escape sequences and so do the resulting patches
>
> [… examples with diff …]
>
> Hint:
> 'less' doesn't interpret escape sequences unless the -r switch is used,
> so stop aliasing it to 'less -r' just because there's no colored output.

Not a single one of those programs does anything to its input that
ought to be considered any form of interpretation in the sense you
imply.  They simply produce outputs that correspond to their inputs.
If that output is later presented to a terminal emulator, *then* some
characters happen to produce effects that go beyond simply displaying
them as glyphs on a screen, one by one.

There is absolutely nothing wrong with `head`, `tail`, `more`, `curl`,
`wget` or `diff`.  They are not meant to “interpret” anything of the
sort that is being addressed, and indeed they do not.  `less` *does*
have special processing rules active by default for input sequences
that would cause terminals to do anything special; indeed, the default
behaviour of `less`, without the `-r` option, is the only mentioned
behaviour that may be considered a form of interpretation.

> It's no secret, most of us rely on 'cat' to view files. I guess this is one
> black kitty, giving you bad luck.

Perhaps “most of us” should use `view` to view files.

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.