Date: Thu, 17 Sep 2015 12:33:28 -0430 From: Manuel Gómez <targen@...il.com> To: oss-security@...ts.openwall.com Subject: Re: s/party/hack like it's 1999 On Thu, Sep 17, 2015 at 11:33 AM, <up201407890@...nos.dcc.fc.up.pt> wrote: > Federico Bento <up201407890@...nos.dcc.fc.up.pt> > > […] > > As you can see, our beloved 'cat' cheated on us. Why? > Because instead of displaying the character-sequence, the escape sequence > \033[XA (being X the number of times) performed some action. > And this action moves the cursor up X times, overwriting what is above it X > lines. > But this doesn't affect only 'cat', it affects everything that interprets > escape sequences. > > [… examples with head, tail, more, curl, wget …] > > 'diff' also interprets escape sequences and so do the resulting patches > > [… examples with diff …] > > Hint: > 'less' doesn't interpret escape sequences unless the -r switch is used, > so stop aliasing it to 'less -r' just because there's no colored output. Not a single one of those programs does anything to its input that ought to be considered any form of interpretation in the sense you imply. They simply produce outputs that correspond to their inputs. If that output is later presented to a terminal emulator, *then* some characters happen to produce effects that go beyond simply displaying them as glyphs on a screen, one by one. There is absolutely nothing wrong with `head`, `tail`, `more`, `curl`, `wget` or `diff`. They are not meant to “interpret” anything of the sort that is being addressed, and indeed they do not. `less` *does* have special processing rules active by default for input sequences that would cause terminals to do anything special; indeed, the default behaviour of `less`, without the `-r` option, is the only mentioned behaviour that may be considered a form of interpretation. > It's no secret, most of us rely on 'cat' to view files. I guess this is one > black kitty, giving you bad luck. Perhaps “most of us” should use `view` to view files.
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.