Hi, Lloyd wrote on Sun, Jan 12, 2025 at 06:28:44PM +0000: > Ingo Schwarze wrote:
>> So, i conclude neofetch(1) almost certainly does something even more >> crazy that you haven't mentioned, in addition to oozing ANSI escapes. >> >> I don't sufficiently care about garbage programs like fortune(6) to >> install neofetch(1) and investigate what it is that it actually does. > Here is the offending line in neofetch, which unhides the cursor and > enables line wrap on exit: > > # If the script exits for any reason, unhide the cursor. > trap 'printf "\e[?25h\e[?7h"' EXIT Aha. That is printing to STDOUT without a terminating newline. So we were both right: the script does something more crazy than merely printing lines to STDOUT (which you did not mention), but less crazy than printing from the background (which i mistakenly assumed). So the patch i committed helps both init files printing from the background and printing without the mandatory trailing newline. Good. :-) This incident illustrates yet another reason why i do not want ANSI escape codes anywhere near my terminal. Those escapes are a security risk because they are significantly overpowered. A random program being able to turn off the cursor in my terminal with no provilege beyond being able to print to the terminal via STDOUT? How ridiculously inconvenient is that? And this is not an exception. There are lots and lots of dangerous ANSI escape codes that do unsafe stuff. For example, change the text in the xterm(1) title line, completely lock up the terminal, make terminal output invisible, and what not. Some ANSI escape codes are even designed to do stuff that is yet more dangerous, like execute arbitrary code in the terminal process or insert stuff into the *input* stream of the terminal - hopefully, such totally crazy secape codes are always disabled, but there are so many of these codes that it's hard to say whether all that is enabled poses only acceptable risks. Perhaps i should re-audit xterm(1) to see that all the bad stuff is disabled by default. The fact that turning off the cursor is enabled by default doesn't bode well in my book. Yours, Ingo
