Date: Thu, 12 Apr 2018 17:18:45 -0400 (EDT) From: "David A. Wheeler" <dwheeler@...eeler.com> To: "oss-security" <oss-security@...ts.openwall.com> CC: "oss-security" <oss-security@...ts.openwall.com> Subject: Re: Re: Terminal Control Chars On Thu, 12 Apr 2018 11:07:20 -0700, Ian Zimmerman <itz@...y.loosely.org> wrote: > The term "invisible character" has some obvious (if perhaps informal) > meaning. But I don't really know what "control character" means. Is a > page separator (^L) a control character, for example? Is DEL one (ASCII > 127)? The term "control character" has a standard definition for every encoding I'm familiar with. ASCII defined a set of control characters, and Unicode built on them. The Unicode list of control characters is here: https://www.fileformat.info/info/unicode/category/Cc/list.htm You'll see it includes: U+0007 BELL U+0008 BACKSPACE U+0009 CHARACTER TABULATION U+000A LINE FEED (LF) U+000C FORM FEED (FF) (aka ^L) U+000D CARRIAGE RETURN (CR) U+007F DELETE According to Wikipedia <https://en.wikipedia.org/wiki/ASCII>, the set of control characters in US-ASCII is 00..1F and 7F (hex). Russ Allbery: > I think a useful definition of "control character" in this context (and I > realize this doesn't exactly match the ASCII definition) is a character > that results in an action other than insertion being taken... > CR and LF would not be control characters in that definition, since they > insert a newline and don't cause an action. Similarly, TAB wouldn't be a > control character in that definition. As you noted, that definition doesn't match the ASCII definition, but I also think it's misleading. If someone pastes a CR/LF into a shell prompt, it certainly *DOES* cause an action, namely, execution of that line. That's probably not what you meant by "action", but from a security point-of-view, causing a script to execute is rather important :-). --- David A. Wheeler
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ