[prev in list] [next in list] [prev in thread] [next in thread] 

List:       oss-security
Subject:    Re: [oss-security] Terminal Control Chars
From:       Christian Brabandt <cb () 256bit ! org>
Date:       2018-04-10 11:02:27
Message-ID: 20180410110227.GE19724 () 256bit ! org
[Download RAW message or body]


On Di, 10 Apr 2018, Gordo Lowrey wrote:

> On Mon, Mar 5, 2018 at 11:50 AM, up201407890@alunos.dcc.fc.up.pt wrote:
> >The correct solution would be to disallow the pasting of certain control
> >characters.

FWIW: The vim poc has been "fixed" as of 
https://github.com/vim/vim/releases/tag/v8.0.1587

> I'm just gonna go out on a limb here, and say this is an unfounded
> assertion.
> 
> Perhaps the correct solution would be to prevent the browser from copying
> invisible characters.
> 
> If you're going to break some basic mechanic of human computer interaction,
> at least don't break my damn terminal (not that I use VTE, it doesn't
> support OSC 52, among others), but the principle stands... Instead of
> worrying about sanitizing what is pasted, why not worry about sanitizing
> what is copied instead?

That was also the conclusion on the vim-dev list.

There is a similar Debian bug report against rxvt-unicode where the same 
conclusion is drawn:
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=787628#15

And the corresponding mozilla/firefox bug:
https://bugzilla.mozilla.org/show_bug.cgi?id=637895

Best,
Christian
[prev in list] [next in list] [prev in thread] [next in thread]