On 15 July 2024 16:39 David Laight <david.lai...@aculab.com> wrote: > On 03 July 2024 01:29 'Michael Conrad' <mcon...@intellitree.com> wrote: > > The underlying root problem here is the same as SQL injection or HTML > > cross-site scripting attacks. You have data, and you emit it in a > > context that is expecting a language/protocol
> I'm sure some terminals supported an escape sequences to write the > terminal 'answerback' message. > (You might need to back to 1980's async terminals.) > Having 'ls' generate the answerback message (unlikely on anything recent) > is mighty confusing - even when not malicious. Take a look at https://dgl.cx/2023/09/ansi-terminal-security. Many of these Are less than a year ago, popular apps like minty (the Cygwin and git-bash Terminal and also the basis for Putty) Had an RCE that could be triggered by ANSI escape codes. Ian Any email and files/attachments transmitted with it are intended solely for the use of the individual or entity to whom they are addressed. If this message has been sent to you in error, you must not copy, distribute or disclose of the information it contains. Please notify Entrust immediately and delete the message from your system. _______________________________________________ busybox mailing list busybox@busybox.net http://lists.busybox.net/mailman/listinfo/busybox