Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Thu, 12 Apr 2018 17:18:45 -0400 (EDT)
From: "David A. Wheeler" <dwheeler@...eeler.com>
To: "oss-security" <oss-security@...ts.openwall.com>
CC: "oss-security" <oss-security@...ts.openwall.com>
Subject: Re: Re: Terminal Control Chars

On Thu, 12 Apr 2018 11:07:20 -0700, Ian Zimmerman <itz@...y.loosely.org> wrote:
> The term "invisible character" has some obvious (if perhaps informal)
> meaning.  But I don't really know what "control character" means.  Is a
> page separator (^L) a control character, for example?  Is DEL one (ASCII
> 127)?

The term "control character" has a standard definition for every encoding
I'm familiar with.  ASCII defined a set of control characters, and
Unicode built on them.

The Unicode list of control characters is here:
https://www.fileformat.info/info/unicode/category/Cc/list.htm
You'll see it includes:
U+0007 	BELL
U+0008 	BACKSPACE
U+0009 	CHARACTER TABULATION
U+000A 	LINE FEED (LF)
U+000C 	FORM FEED (FF) (aka ^L)
U+000D 	CARRIAGE RETURN (CR)
U+007F 	DELETE

According to Wikipedia <https://en.wikipedia.org/wiki/ASCII>,
the set of control characters in US-ASCII is 00..1F and 7F (hex).

Russ Allbery:
> I think a useful definition of "control character" in this context (and I
> realize this doesn't exactly match the ASCII definition) is a character
> that results in an action other than insertion being taken...
> CR and LF would not be control characters in that definition, since they
> insert a newline and don't cause an action. Similarly, TAB wouldn't be a
> control character in that definition.

As you noted, that definition doesn't match the ASCII definition, but
I also think it's misleading.  If someone pastes a CR/LF into a shell prompt,
it certainly *DOES* cause an action, namely, execution of that line.
That's probably not what you meant by "action", but from a security
point-of-view, causing a script to execute is rather important :-).

--- David A. Wheeler

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ