Re: s/party/hack like it's 1999

[Solar Designer <solar () openwall com>]

On Thu, Apr 21, 2016 at 09:45:59PM +0200, Jakub Wilk wrote:
> * up201407890 () alunos dcc fc up pt, 2015-09-17, 18:03:
> > 'less' doesn't interpret escape sequences unless the -r switch is used, 
> > so stop aliasing it to 'less -r' just because there's no colored 
> > output.
>
> As somebody else noted, it should be s/doesn't interpret/neutralizes/ or 
> something. But that doesn't mean you should feel safe if you don't use 
> -r.
>
> For example, when git automatically spawns a pager, it puts R in the 
> LESS environment variable. (That would be fine if git escaped \033 
> before passing them to the pager, but it doesn't. Oddly, it does seem to 
> escape other control characters.) Now, -R is less convenient than -r for 
> hiding malicious code, but you could still set foreground and background 
> to black in hope that the victim's terminal background is also black.
>
> But even without -r or -R, one can use backspace characters to hide evil 
> payload:

Right.  less has the -U option to prevent that.  And yes, it's too many
options to remember, unfortunately.  Safe(r) use of less was previously
discussed here:

http://www.openwall.com/lists/oss-security/2015/09/03/9

To view untrusted text files, use "less -nU".  Instead of "tail -f", use
"less -nUEX +F".  Setting up aliases may help.

This assumes that your distro didn't setup a script in LESSOPEN that
would do something dangerous for the given filename/suffix.

Alexander