[prev in list] [next in list] [prev in thread] [next in thread] 

List:       oss-security
Subject:    Re: [oss-security] s/party/hack like it's 1999
From:       Solar Designer <solar () openwall ! com>
Date:       2016-04-22 3:57:37
Message-ID: 20160422035737.GA14458 () openwall ! com
[Download RAW message or body]

On Thu, Apr 21, 2016 at 09:45:59PM +0200, Jakub Wilk wrote:
> * up201407890@alunos.dcc.fc.up.pt, 2015-09-17, 18:03:
> >'less' doesn't interpret escape sequences unless the -r switch is used, 
> >so stop aliasing it to 'less -r' just because there's no colored 
> >output.
> 
> As somebody else noted, it should be s/doesn't interpret/neutralizes/ or 
> something. But that doesn't mean you should feel safe if you don't use 
> -r.
> 
> For example, when git automatically spawns a pager, it puts R in the 
> LESS environment variable. (That would be fine if git escaped \033 
> before passing them to the pager, but it doesn't. Oddly, it does seem to 
> escape other control characters.) Now, -R is less convenient than -r for 
> hiding malicious code, but you could still set foreground and background 
> to black in hope that the victim's terminal background is also black.
> 
> But even without -r or -R, one can use backspace characters to hide evil 
> payload:

Right.  less has the -U option to prevent that.  And yes, it's too many
options to remember, unfortunately.  Safe(r) use of less was previously
discussed here:

http://www.openwall.com/lists/oss-security/2015/09/03/9

To view untrusted text files, use "less -nU".  Instead of "tail -f", use
"less -nUEX +F".  Setting up aliases may help.

This assumes that your distro didn't setup a script in LESSOPEN that
would do something dangerous for the given filename/suffix.

Alexander
[prev in list] [next in list] [prev in thread] [next in thread]