Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Date: Thu, 12 Apr 2018 19:13:27 +0200
From: Jakub Wilk <jwilk@...lk.net>
To: oss-security@...ts.openwall.com
Subject: Re: Terminal Control Chars

* Gordo Lowrey <gordo@...eval.com>, 2018-04-10, 03:53:
>>The correct solution would be to disallow the pasting of certain 
>>control characters.
>
>I'm just gonna go out on a limb here, and say this is an unfounded 
>assertion.
>
>Perhaps the correct solution would be to prevent the browser from 
>copying invisible characters.

Do you mean control characters, or something else?

>If you're going to break some basic mechanic of human computer 
>interaction,

Huh? Most users don't interact with their terminal-based software by 
pasting control characters. I bet most people don't even realize that 
it's even possible to do that. I've been using terminal emulators for 15 
years, and the only time I willingly did such pastes was to test 
exploits for this very problem.

If you have a practical use case for such interaction, please tell us 
what is. I, for one, have no idea what this might be.

>Instead of worrying about sanitizing what is pasted, why not worry 
>about sanitizing what is copied instead?

Why? Is it the browser fault that terminal emulators interpret some 
characters in a funny way?

Besides, paste consumers have much better idea what needs to be 
sanitized than paste producers.

* For software that access the clipboard directly, no sanitization is 
needed. Yay!

* On some systems, if terminal is a cooked mode, control characters can 
be escaped, usually with ^V. (But a paste producer can't possibly know 
what the terminal mode or the escape character is going to be!)

* In bracketed paste mode, the only sequence that needs to be 
neutralized is the one that leaves the mode.

From egoistical point of view, I'd also prefer if this was fixed in my 
terminal. On my system, I have multiple paste producers potentially 
affected by this (web browser, two PDF readers, office suite, ...), but 
only one terminal emulator installed. It's much easier for me to verify 
that the terminal emulator behaves (it doesn't) than to check the rest 
of the software involved in this mess.

BTW, a recent LWN article about terminal emulators briefly mentioned the 
problem of pasting security:
https://lwn.net/Articles/749992/
(The article incorrectly states that urxvt's confirm-paste plugin 
protects against this attack. Read the article comments to see why this 
is not the case.)

-- 
Jakub Wilk

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.