Date: Thu, 10 Sep 1998 15:30:36 -0700 From: Jamie Lawrence <jal@ThirdAge.com> To: Aleph One <aleph1@dfw.net> Cc: security@FreeBSD.ORG Subject: Re: cat exploit Message-ID: <3.0.5.32.19980910153036.00ce92a0@204.74.82.151> In-Reply-To: <Pine.SUN.4.01.9809101703330.26013-100000@dfw.nationwide.ne t> References: <3.0.5.32.19980910144756.01d24c70@204.74.82.151>
next in thread | previous in thread | raw e-mail | index | archive | help
[My last comment on the topic.] >The problem may be as old as unix itself. Nonetheless, it hasnt been >fixed. Fixing it in cat, by not using it or modiying it, is the wrong >solution. Nor is this a root only problem. You an I may know not to use >cat, but what about all your users? Nor is cat the only way to display >files. The correct solution is to fix terminal emulators to ignore >dangerous escape characters. The fact of the matter is that this is defined behaviour. cat by default sends input to the terminal. The terminal processes certain input in certain ways. 'Fixing' terms would break an installed base of tools that use those escape characters. Perhaps processing escapes was a bad design idea - I certainly won't try to defend it from a security standpoint. But breaking a ton of tools to fix a different set is not a workable solution. As far as "what about the users" goes, I know of no way to save them from all the ways they can shoot themselves in the foot, save disabling a majority of the supplied OS utilities. I disagree that 'fixing' the terminals is the correct solution, even if they can be 'fixed' to provide the desired results without breaking compatibility (which I don't believe is possible, but then I haven't investigated it). From a security standpoint, it _might_ be, in some contexts. I find it odd that this one is suddenly getting so much attention suddenly. Nature of mailing lists, I suppose. -j To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?3.0.5.32.19980910153036.00ce92a0>