|
From: | Maxim Nikulin |
Subject: | Re: Thoughts on the standardization of Org |
Date: | Thu, 12 Nov 2020 00:10:05 +0700 |
User-agent: | Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Thunderbird/68.10.0 |
2020-11-11 Jean Louis wrote:
* Maxim Nikulin [2020-11-10 19:31]:2020-11-10 Greg Minshall wrote:i would guess using 'cat -v' to read e-mail is 100% safe. even throwing in uudecode(1), or whatever is needed to decode base64, (and then piping through 'cat -v', of course ), it's probably still safe.Please, check that you have at least updated tmux before applying such "safe" handler: https://www.openwall.com/lists/oss-security/2020/11/05/3 The news are too recent to not mention the link in such context. The sour story is that it is unsafe to feed non-trusted files directly to terminal. A filter against control sequences is required.Is there anyway to disable control sequences? Than cat can be aliased.
We were kidding.You do not need a terminal if you do not need control sequences. They plays the role of interface to allow line (or full screen) editing that is why control sequences is the essence of terminals. I suppose you would get tired almost immediately having to type everything strictly sequential without ability to remove even the last character. Some terminals allows to disable particular features, e.g. setting of title in xterm. But there are still a lot of rather basic capabilities.
Likely pasting a command from a web page is a more real threat. E.g. zsh could be more restrictive than bash during copy a peace of text into terminal. If you have to work in non-trusted environments, some general recommendations (e.g. keep you system up to date) and isolation techniques (virtual machines or at least separate system users) could be applied.
My point was that MIME handlers have to be carefully chosen. Even well known applications could have special options. And sorry, I somehow missed "-v" option of cat in Greg's message. It is exactly the case of a tool that everyone knows and a significantly more rare option.
[Prev in Thread] | Current Thread | [Next in Thread] |