Date: Fri, 22 Apr 2016 06:57:37 +0300 From: Solar Designer <solar@...nwall.com> To: oss-security@...ts.openwall.com Subject: Re: s/party/hack like it's 1999 On Thu, Apr 21, 2016 at 09:45:59PM +0200, Jakub Wilk wrote: > * up201407890@...nos.dcc.fc.up.pt, 2015-09-17, 18:03: > >'less' doesn't interpret escape sequences unless the -r switch is used, > >so stop aliasing it to 'less -r' just because there's no colored > >output. > > As somebody else noted, it should be s/doesn't interpret/neutralizes/ or > something. But that doesn't mean you should feel safe if you don't use > -r. > > For example, when git automatically spawns a pager, it puts R in the > LESS environment variable. (That would be fine if git escaped \033 > before passing them to the pager, but it doesn't. Oddly, it does seem to > escape other control characters.) Now, -R is less convenient than -r for > hiding malicious code, but you could still set foreground and background > to black in hope that the victim's terminal background is also black. > > But even without -r or -R, one can use backspace characters to hide evil > payload: Right. less has the -U option to prevent that. And yes, it's too many options to remember, unfortunately. Safe(r) use of less was previously discussed here: http://www.openwall.com/lists/oss-security/2015/09/03/9 To view untrusted text files, use "less -nU". Instead of "tail -f", use "less -nUEX +F". Setting up aliases may help. This assumes that your distro didn't setup a script in LESSOPEN that would do something dangerous for the given filename/suffix. Alexander
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ