Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Thu, 12 Apr 2018 15:31:19 -0700
From: Russ Allbery <eagle@...ie.org>
To: "David A. Wheeler" <dwheeler@...eeler.com>
Cc: "oss-security" <oss-security@...ts.openwall.com>
Subject: Re: Re: Terminal Control Chars

"David A. Wheeler" <dwheeler@...eeler.com> writes:
> Russ Allbery:

>> I think a useful definition of "control character" in this context (and
>> I realize this doesn't exactly match the ASCII definition) is a
>> character that results in an action other than insertion being taken...
>> CR and LF would not be control characters in that definition, since
>> they insert a newline and don't cause an action. Similarly, TAB
>> wouldn't be a control character in that definition.

> As you noted, that definition doesn't match the ASCII definition, but I
> also think it's misleading.  If someone pastes a CR/LF into a shell
> prompt, it certainly *DOES* cause an action, namely, execution of that
> line.  That's probably not what you meant by "action", but from a
> security point-of-view, causing a script to execute is rather important
> :-).

That's a fair counterpoint.

That unfortunately means that the specification one wants is to deny
pasting control messages except for a particular set (since you're
certainly not going to want to stop pasting of a newline sequence, and
probably not pasting of tabs), and then you have to find the right way to
define that set of characters that you want to allow.

I have some "I know it when I see it" definition in my head, but it's hard
to be precise without listing out the specific characters that I would
allow and that I would disallow (at least as interpreted commands).

-- 
Russ Allbery (eagle@...ie.org)              <http://www.eyrie.org/~eagle/>

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ