On Mon, Apr 16, 2018 at 09:46:01PM +0300, Alexander Sergeyev <sergeev...@gmail.com> wrote: > The issue is even more dangerous since browsers don't display characters > that may cause such trouble being copy-pasted into a terminal (like  > for ESC). More details and PoC:
Hi, I will consider this as an optional feature, but what I do not understand is why this is somehow treated as a propblem that can be fixed in the terminal emulator (it can't), since this bug is clearly in whichever application ("web browser") that selects text that the user simply didn't select because he/she didn't see it? If anybody wants to actually fix this security bug, then it needs to be fixed in the component which actually has this bug, e.g. the browser. To see why this is not a bug in urxvt (or vte), consider a keyboard driver that replaces the key combination "vi" with "rm" - your patch effectively patches rm to no longer delete files, because the keyboard driver sometimes substitutes "rm" when the user types "vi". Why do you think this is somehow a bug in rm and not the keyboard driver which is responsible for deceiving the user here, and why would you not want to fix the keyboard driver but leave it as it is? > http://www.openwall.com/lists/oss-security/2018/03/05/2 This also fails to diagnose the real source of the problem and wrongly claims the terminal emulators have a security problem, while not bothering to take care of the actual security problem. Patching terminal emulators to disable useful (I use this many times a day) and harmless features like this while leaving the real security issue unpatched seems highly counterproductive. -- The choice of a Deliantra, the free code+content MORPG -----==- _GNU_ http://www.deliantra.net ----==-- _ generation ---==---(_)__ __ ____ __ Marc Lehmann --==---/ / _ \/ // /\ \/ / schm...@schmorp.de -=====/_/_//_/\_,_/ /_/\_\ _______________________________________________ rxvt-unicode mailing list rxvt-unicode@lists.schmorp.de http://lists.schmorp.de/mailman/listinfo/rxvt-unicode