Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Tue, 10 Apr 2018 13:02:27 +0200
From: Christian Brabandt <cb@...bit.org>
To: oss-security@...ts.openwall.com
Subject: Re: Terminal Control Chars


On Di, 10 Apr 2018, Gordo Lowrey wrote:

> On Mon, Mar 5, 2018 at 11:50 AM, up201407890@...nos.dcc.fc.up.pt wrote:
> >The correct solution would be to disallow the pasting of certain control
> >characters.

FWIW: The vim poc has been "fixed" as of 
https://github.com/vim/vim/releases/tag/v8.0.1587

> I'm just gonna go out on a limb here, and say this is an unfounded
> assertion.
> 
> Perhaps the correct solution would be to prevent the browser from copying
> invisible characters.
> 
> If you're going to break some basic mechanic of human computer interaction,
> at least don't break my damn terminal (not that I use VTE, it doesn't
> support OSC 52, among others), but the principle stands... Instead of
> worrying about sanitizing what is pasted, why not worry about sanitizing
> what is copied instead?

That was also the conclusion on the vim-dev list.

There is a similar Debian bug report against rxvt-unicode where the same 
conclusion is drawn:
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=787628#15

And the corresponding mozilla/firefox bug:
https://bugzilla.mozilla.org/show_bug.cgi?id=637895

Best,
Christian

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ