[prev in list] [next in list] [prev in thread] [next in thread]
List: oss-security
Subject: Re: [oss-security] s/party/hack like it's 1999
From: Solar Designer <solar () openwall ! com>
Date: 2016-04-22 3:57:37
Message-ID: 20160422035737.GA14458 () openwall ! com
[Download RAW message or body]
On Thu, Apr 21, 2016 at 09:45:59PM +0200, Jakub Wilk wrote:
> * up201407890@alunos.dcc.fc.up.pt, 2015-09-17, 18:03:
> >'less' doesn't interpret escape sequences unless the -r switch is used,
> >so stop aliasing it to 'less -r' just because there's no colored
> >output.
>
> As somebody else noted, it should be s/doesn't interpret/neutralizes/ or
> something. But that doesn't mean you should feel safe if you don't use
> -r.
>
> For example, when git automatically spawns a pager, it puts R in the
> LESS environment variable. (That would be fine if git escaped \033
> before passing them to the pager, but it doesn't. Oddly, it does seem to
> escape other control characters.) Now, -R is less convenient than -r for
> hiding malicious code, but you could still set foreground and background
> to black in hope that the victim's terminal background is also black.
>
> But even without -r or -R, one can use backspace characters to hide evil
> payload:
Right. less has the -U option to prevent that. And yes, it's too many
options to remember, unfortunately. Safe(r) use of less was previously
discussed here:
http://www.openwall.com/lists/oss-security/2015/09/03/9
To view untrusted text files, use "less -nU". Instead of "tail -f", use
"less -nUEX +F". Setting up aliases may help.
This assumes that your distro didn't setup a script in LESSOPEN that
would do something dangerous for the given filename/suffix.
Alexander
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic