Date: Fri, 22 Apr 2016 06:57:37 +0300 From: Solar Designer <solar@...nwall.com> To: oss-security@...ts.openwall.com Subject: Re: s/party/hack like it's 1999 On Thu, Apr 21, 2016 at 09:45:59PM +0200, Jakub Wilk wrote: > * up201407890@...nos.dcc.fc.up.pt, 2015-09-17, 18:03: > >'less' doesn't interpret escape sequences unless the -r switch is used, > >so stop aliasing it to 'less -r' just because there's no colored > >output. > > As somebody else noted, it should be s/doesn't interpret/neutralizes/ or > something. But that doesn't mean you should feel safe if you don't use > -r. > > For example, when git automatically spawns a pager, it puts R in the > LESS environment variable. (That would be fine if git escaped \033 > before passing them to the pager, but it doesn't. Oddly, it does seem to > escape other control characters.) Now, -R is less convenient than -r for > hiding malicious code, but you could still set foreground and background > to black in hope that the victim's terminal background is also black. > > But even without -r or -R, one can use backspace characters to hide evil > payload: Right. less has the -U option to prevent that. And yes, it's too many options to remember, unfortunately. Safe(r) use of less was previously discussed here: http://www.openwall.com/lists/oss-security/2015/09/03/9 To view untrusted text files, use "less -nU". Instead of "tail -f", use "less -nUEX +F". Setting up aliases may help. This assumes that your distro didn't setup a script in LESSOPEN that would do something dangerous for the given filename/suffix. Alexander
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.