oss-sec mailing list archives
Re: s/party/hack like it's 1999
From: Solar Designer <solar () openwall com>
Date: Fri, 22 Apr 2016 06:57:37 +0300
On Thu, Apr 21, 2016 at 09:45:59PM +0200, Jakub Wilk wrote:
* up201407890 () alunos dcc fc up pt, 2015-09-17, 18:03:'less' doesn't interpret escape sequences unless the -r switch is used, so stop aliasing it to 'less -r' just because there's no colored output.As somebody else noted, it should be s/doesn't interpret/neutralizes/ or something. But that doesn't mean you should feel safe if you don't use -r. For example, when git automatically spawns a pager, it puts R in the LESS environment variable. (That would be fine if git escaped \033 before passing them to the pager, but it doesn't. Oddly, it does seem to escape other control characters.) Now, -R is less convenient than -r for hiding malicious code, but you could still set foreground and background to black in hope that the victim's terminal background is also black. But even without -r or -R, one can use backspace characters to hide evil payload:
Right. less has the -U option to prevent that. And yes, it's too many options to remember, unfortunately. Safe(r) use of less was previously discussed here: http://www.openwall.com/lists/oss-security/2015/09/03/9 To view untrusted text files, use "less -nU". Instead of "tail -f", use "less -nUEX +F". Setting up aliases may help. This assumes that your distro didn't setup a script in LESSOPEN that would do something dangerous for the given filename/suffix. Alexander
Current thread:
- Re: s/party/hack like it's 1999 Jakub Wilk (Apr 21)
- Re: s/party/hack like it's 1999 Solar Designer (Apr 21)