On Mon, Apr 16, 2018 at 09:46:01PM +0300, Alexander Sergeyev
<sergeev...@gmail.com> wrote:
> The issue is even more dangerous since browsers don't display characters
> that may cause such trouble being copy-pasted into a terminal (like 
> for ESC). More details and PoC:
Hi, I will consider this as an optional feature, but what I do not
understand is why this is somehow treated as a propblem that can be
fixed in the terminal emulator (it can't), since this bug is clearly in
whichever application ("web browser") that selects text that the user
simply didn't select because he/she didn't see it?
If anybody wants to actually fix this security bug, then it needs to be
fixed in the component which actually has this bug, e.g. the browser.
To see why this is not a bug in urxvt (or vte), consider a keyboard
driver that replaces the key combination "vi" with "rm" - your patch
effectively patches rm to no longer delete files, because the keyboard
driver sometimes substitutes "rm" when the user types "vi". Why do you
think this is somehow a bug in rm and not the keyboard driver which is
responsible for deceiving the user here, and why would you not want to fix
the keyboard driver but leave it as it is?
> http://www.openwall.com/lists/oss-security/2018/03/05/2
This also fails to diagnose the real source of the problem and wrongly
claims the terminal emulators have a security problem, while not bothering
to take care of the actual security problem.
Patching terminal emulators to disable useful (I use this many times a
day) and harmless features like this while leaving the real security issue
unpatched seems highly counterproductive.
--
The choice of a Deliantra, the free code+content MORPG
-----==- _GNU_ http://www.deliantra.net
----==-- _ generation
---==---(_)__ __ ____ __ Marc Lehmann
--==---/ / _ \/ // /\ \/ / schm...@schmorp.de
-=====/_/_//_/\_,_/ /_/\_\
_______________________________________________
rxvt-unicode mailing list
rxvt-unicode@lists.schmorp.de
http://lists.schmorp.de/mailman/listinfo/rxvt-unicode
