[rsync]

So, on the one hand ...

I have actually used 'sz' and 'rz' in relatively modern times for quick and dirty file transfer and found it very convenient in a very narrow set of use-cases.

However ...

It's a serious violation of the cleanliness and available attack surface involved in a terminal interface and we should be on the lookout for, and reject, similar interfaces and applications.

In order for zmodem to work over the terminal, the terminal program itself needs to know something about the text flowing over the connection and then invoke special, extra routines based on monitoring that textual flow.

This opens up all manner of weird, extra attack surface.

The beauty of the text terminal is that I can, theoretically, cat any file I want to without fear of what it contains. I can open up (perhaps with 'strings' or 'hexedit') any email attachment without fear of the strings that it contains. I can do this because I am using a dumb terminal.

As soon as the terminal is smart - even a little bit - you've got vectors for weird strings doing things you don't want them to.

[blueflow]

I have bad news for you. Do you know what (n)curses is for? Its basically a library for those magic strings (and ascii control characters) that run extra routines in the terminal. And every terminal has these routines.

[mbreese]

As I see it, the parent is specifically worried about the terminal needing to monitor input and fork a process in response. Control character handling should be pretty robust (or worst-case, a NOP). Curses-based programs read/write specific control characters to move the cursor, etc (really any tty should support control characters).

But they don’t fork a new process… (unless I’m very mistaken).

[blueflow]

See xterm manpage, "printerCommand" or urxvt manpage, "print-pipe". They may be triggered remotely by the media copy commands. Good news is, this is supposed to be disabled per default.

[kragen]

btw kde konsole has zmodem support apparently?

pretty sure it won't work over mosh tho