Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Fri, 13 Apr 2018 09:43:10 +0200
From: Jakub Wilk <jwilk@...lk.net>
To: oss-security@...ts.openwall.com
Subject: Re: Terminal Control Chars

* Jakub Wilk <jwilk@...lk.net>, 2018-04-12, 19:13:
>>Perhaps the correct solution would be to prevent the browser from 
>>copying invisible characters.
>
>Do you mean control characters, or something else?

One reason I asked because for some people knee-jerk reaction upon 
learning about this issue is to insist that the browser should only copy 
what the user sees. Cleverly, they never elaborate what that means 
exactly.

Is a "font-size: 3pt" text visible? Should the browser consult the 
user's eye exam results before deciding what to copy?

Does it mean Ctrl+A Ctrl+C would copy only text within the viewport? I 
guess so, but that's not what browser users expect.

And in the PDF world: the user is often shown a scan, and there's a 
hidden copyable text layer. Should the PDF browser somehow refuse to 
copy text with recognition errors?

>>If you're going to break some basic mechanic of human computer 
>>interaction,
>Huh? Most users don't interact with their terminal-based software by 
>pasting control characters.

As it was noted elsewhere in this thread, tabs and newlines are control 
characters, too. People paste them all the time. But I don't think 
anyone is seriously proposing to filter out these two.

-- 
Jakub Wilk

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.