Date: Thu, 10 Sep 1998 17:33:41 -0700 From: Brian Behlendorf <brian@hyperreal.org> To: andrew@squiz.co.nz Cc: security@FreeBSD.ORG Subject: Re: terminal escape exploit (was Re: cat exploit) Message-ID: <19980911003306.3455.qmail@hyperreal.org> In-Reply-To: <Pine.BSF.3.96.980911091351.5407B-100000@aniwa.sky> References: <35F818CA.8647A116@dal.net>
next in thread | previous in thread | raw e-mail | index | archive | help
At 09:19 AM 9/11/98 +1200, Andrew McNaughton wrote: >On Thu, 10 Sep 1998, Studded wrote: > >> It seems to me that a lot of people missed the point of one of the >> warnings that someone else posted in response actually. Don't use cat >> routinely to view files. Use more, or better yet less since less doesn't >> view binary files by default. > >It's not just cat that you've got to worry about. tail is another one. >How many people routinely use 'tail -f' to monitor log info that includes >potentially tainted content. Yeah, especially when trying to debug a problem that requires root. I do this. >The problem is not cat. It's xterm and other similar terminal programs. I agree. Even if the old-timers around here are saying "it's always been like that, just don't do it and it'll be all OK", I still see this as a design flaw, and would like to believe that "running arbitrary commands" can be prevented without preventing all the legitimate uses for escape sequences. Brian --=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-- "Common sense is the collection of prejudices | brian@apache.org acquired by the age of eighteen." - Einstein | brian@hyperreal.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?19980911003306.3455.qmail>