oss-sec mailing list archives
Re: Terminal Control Chars
From: Jakub Wilk <jwilk () jwilk net>
Date: Thu, 12 Apr 2018 19:13:27 +0200
* Gordo Lowrey <gordo () zeneval com>, 2018-04-10, 03:53:
The correct solution would be to disallow the pasting of certain control characters.I'm just gonna go out on a limb here, and say this is an unfounded assertion.Perhaps the correct solution would be to prevent the browser from copying invisible characters.
Do you mean control characters, or something else?
If you're going to break some basic mechanic of human computer interaction,
Huh? Most users don't interact with their terminal-based software by pasting control characters. I bet most people don't even realize that it's even possible to do that. I've been using terminal emulators for 15 years, and the only time I willingly did such pastes was to test exploits for this very problem.
If you have a practical use case for such interaction, please tell us what is. I, for one, have no idea what this might be.
Instead of worrying about sanitizing what is pasted, why not worry about sanitizing what is copied instead?
Why? Is it the browser fault that terminal emulators interpret some characters in a funny way?
Besides, paste consumers have much better idea what needs to be sanitized than paste producers.
* For software that access the clipboard directly, no sanitization is needed. Yay!
* On some systems, if terminal is a cooked mode, control characters can be escaped, usually with ^V. (But a paste producer can't possibly know what the terminal mode or the escape character is going to be!)
* In bracketed paste mode, the only sequence that needs to be neutralized is the one that leaves the mode.
From egoistical point of view, I'd also prefer if this was fixed in my terminal. On my system, I have multiple paste producers potentially affected by this (web browser, two PDF readers, office suite, ...), but only one terminal emulator installed. It's much easier for me to verify that the terminal emulator behaves (it doesn't) than to check the rest of the software involved in this mess.
BTW, a recent LWN article about terminal emulators briefly mentioned the problem of pasting security:
https://lwn.net/Articles/749992/(The article incorrectly states that urxvt's confirm-paste plugin protects against this attack. Read the article comments to see why this is not the case.)
-- Jakub Wilk
Current thread:
- Re: Terminal Control Chars Ian Zimmerman (Apr 09)
- Re: Re: Terminal Control Chars Not Real (Apr 09)
- Re: Re: Terminal Control Chars Jakub Wilk (Apr 10)
- <Possible follow-ups>
- Re: Terminal Control Chars Gordo Lowrey (Apr 10)
- Re: Terminal Control Chars Christian Brabandt (Apr 10)
- Re: Terminal Control Chars Jakub Wilk (Apr 12)
- Re: Terminal Control Chars Ian Zimmerman (Apr 12)
- Re: Re: Terminal Control Chars Russ Allbery (Apr 12)
- Re: Re: Terminal Control Chars David A. Wheeler (Apr 12)
- Re: Re: Terminal Control Chars Russ Allbery (Apr 12)
- Re: Re: Terminal Control Chars Simon McVittie (Apr 12)
- Re: Re: Terminal Control Chars David A. Wheeler (Apr 12)
- Re: Re: Terminal Control Chars Jakub Wilk (Apr 16)
- Re: Re: Terminal Control Chars Not Real (Apr 09)
- Re: Terminal Control Chars Jakub Wilk (Apr 13)