[f30e3dfed1c9]

I think this article is horribly written. The second paragraph, in its entirety, reads:

> It turns out that it is NOT, if you use iTerm2.

And as far as I can tell, that is a vast overstatement. I think an actually true statement would be "It may not be, if you use iTerm2 and its optional 'Shell Integration' feature."

As far as I can tell, the "Shell Integration" feature under discussion is entirely optional and disabled by default. If it's not enabled, then there is no problem here. End of story.

Happy to be corrected if I'm wrong about this.

[cryptbe]

The feature is enabled by default. You can test it by yourself.

[f30e3dfed1c9]

Thank you. If correct, that is helpful. I only checked my own copy and as far as I can tell, the feature is disabled. It may well be that I disabled it, I don't remember. Seems like the kind of thing I would disable if I noticed it but iTerm2 has so many features and so many settings that I have no idea whether I ever noticed it before this.

I note that the documentation says this:

> Shell Integration

> iTerm2 may be integrated with the unix shell so that [blah blah blah]

> How To Enable Shell Integration

> [blah blah blah]

And that does not make it sound as if it's enabled by default. I really don't know. I only started using iTerm2 about three or four weeks ago.

[anamexis]

The entire article is "horribly written" based on that one overstatement?

[f30e3dfed1c9]

Pretty much, yes. It is meant to be the takeaway from the article and as far as I can tell, the statement as written is false. Pretty serious problem, I think.

[anamexis]

I would say iTerm 2 has a pretty serious problem. A detailed analysis of the issue having a sentence implying it affects all users rather than many or most users is a minor problem.

[f30e3dfed1c9]

I agree that the problem in iTerm2 is serious. I do not agree that having the takeway sentence in the article being false is a "minor problem."

I cannot speculate on what fraction of iTerm2 users enable this optional feature. Is it "many or most"? No idea.

I note that the article nowhere mentions the fact that the feature is optional. That would be a huge improvement.

We can disagree over whether the article is horribly written or not. My firm opinion is that it is.

[anamexis]

Wait, hold on. iTerm 2's "conductor" is listening for the special escape sequences, whether or not you are using the shell integration features. The exploit affects all users, not just ones who have installed iTerm 2's shell integration.

[f30e3dfed1c9]

I can't tell whether that's true or not. The article says:

> The rough model is:

> 1. iTerm2 launches SSH integration, usually through it2ssh.

> 2. iTerm2 sends a remote bootstrap script, the conductor, over the existing SSH session.

> 3. That remote script becomes the protocol peer for iTerm2.

How can I tell whether this "conductor" is running on the remote host or not?

I tried to reproduce this problem, following their instructions, but was unable to. I think but am not sure that's because my environment is pretty much nothing like one that would allow this to work.

For example, whether it's the default or not, my iTerm2 just doesn't have shell integration enabled. With my profile "Command:" set to "Login Shell," it doesn't look like I could enable it if I wanted to: "Load shell integration automatically" is disabled, apparently because "Automatic loading doesn't work with ksh."