oss-sec mailing list archives
rxvt-unicode "insecure" setting [Was: terminal emulators' processing of escape sequences]
From: Ian Zimmerman <itz () primate net>
Date: Wed, 17 May 2017 09:40:57 -0700
This is a bit tangential to this particular thread, but clearly security-related. Quoting "man urxvt", section "RESOURCES": insecure: boolean Enables "insecure" mode. Rxvt-unicode offers some escape sequences that echo arbitrary strings like the icon name or the locale. This could be abused if somebody gets 8-bit-clean access to your display, whether through a mail client displaying mail bodies unfiltered or through write(1) or any other means. Therefore, these sequences are disabled by default. (Note that many other terminals, including xterm, have these sequences enabled by default, which doesn't make it safer, though). You can enable them by setting this boolean resource or specifying -insecure as an option. At the moment, this enables display-answer, locale, findfont, icon label and window title requests. My ~/.Xresources file, trimmed. I am sure it is getting read, because of the cutchars, colors and geometry settings: Rxvt.background: seashell Rxvt.color10: green4 Rxvt.color11: orange2 Rxvt.color14: cyan4 Rxvt.color2: green3 Rxvt.color3: orange Rxvt.color6: cyan3 Rxvt.cutchars: '"!' &()*,;<=>?@[]^{|} #$%+-./: Rxvt.foreground: Gray40 Rxvt.geometry: 103x36 Rxvt.saveLines: 200 Rxvt.visualBell: on URxvt.font: x:-misc-fixed-medium-r-semicondensed--13-*-*-*-*-*-iso10646-1 URxvt.perl-ext-common: URxvt.insecure: false Finally, a chunk of my ~/.bashrc: # If this is an xterm set the title to something informative case "$TERM" in xterm*|rxvt*) PROMPT_COMMAND="echo -ne \"\E]0; $$ ${LOGNAME}@${HOSTNAME}:\${PWD} \a\"" ;; *) ;; esac And ... it works! Why? -- Please *no* private Cc: on mailing lists and newsgroups Personal signed mail: please _encrypt_ and sign Don't clear-text sign: http://primate.net/~itz/blog/the-problem-with-gpg-signatures.html
Current thread:
- Re: terminal emulators' processing of escape sequences, (continued)
- Re: terminal emulators' processing of escape sequences Marc Lehmann (May 16)
- Re: terminal emulators' processing of escape sequences Robert Święcki (May 17)
- AW: terminal emulators' processing of escape sequences Fiedler Roman (May 17)
- Re: terminal emulators' processing of escape sequences Daniel Kahn Gillmor (May 17)
- Re: terminal emulators' processing of escape sequences Robert Święcki (May 17)
- Re: terminal emulators' processing of escape sequences Robert Święcki (May 17)
- Re: terminal emulators' processing of escape sequences Daniel Kahn Gillmor (May 18)
- Re: terminal emulators' processing of escape sequences Tavis Ormandy (May 19)
- Re: terminal emulators' processing of escape sequences Solar Designer (May 17)
- Re: terminal emulators' processing of escape sequences Marc Lehmann (May 17)
- rxvt-unicode "insecure" setting [Was: terminal emulators' processing of escape sequences] Ian Zimmerman (May 17)
- Re: terminal emulators' processing of escape sequences Dominique Martinet (May 17)
- Re: terminal emulators' processing of escape sequences Guido Berhoerster (May 03)
- Re: terminal emulators' processing of escape sequences Ryan Munz (May 08)