|
|
|
|
|
|
by couchand
3965 days ago
|
|
|
Terminal attacks are not new and the solution isn't to expect every individual program to escape terminal escape codes. The ideal solution is to sanitize all data before displaying it
on your terminal, however without a custom terminal application
or data filter, you can't guarantee that every tool you use on
the command-line is going to strip escape sequences. The
responsibility should rest on the actual terminal emulator; any
features that allow file or command-line access should be
disabled by default and more attention should be paid to new
features that implement any use of escape sequences. [0]
Are you cloning untrusted repositories to your computer and running git log blindly?[0]: http://marc.info/?l=bugtraq&m=104612710031920 |
|
|
I mean, it would be super nice for your terminal emulator to just automagically filter out escape sequences when you, the user, do not want them and to allow them for programs that you do. a whitelist would work but would be super annoying to actually verify as so many programs output things from so many different inputs. it seems like programs themselves should decide if they need to output arbitrary data and, in cases where they don't, like git, they can filter it.