I looked into this a bit more. You can set XTerm's title bar with one escape sequence and have it echoed back with another. The echoed text is bracketed with escape sequences: ^[]l<title>^[\. Also, control characters (including CR and LF) are not allowed. So this is mostly secure- you're not going to trigger a shell command with it.
This suggests a modification for my ESC [ y: prefix the paste text with something (maybe ESC [ 200 ~), and quote all control characters, perhaps like this: !! sends ! !@ sends NUL !A sends Ctrl-A !B sends Ctrl-B .... !Z sends Ctrl-Z ![ sends ESC !\ Ctrl-\ !] Ctrl-] !^ Ctrl-^ !_ Ctrl-_ likewise, !`, !a, !b, ... !DEL give the sequences between 0x80 - 0x9F. You can still give xterm arbitrary text with ESC [ 1 y, but I don't see how to avoid this. The user would have to paste it into a shell window for it to cause harm. Perhaps the biggest problem is that you don't know that the selection has been changed. jhallen wrote: >It isn't secure, in two ways: > >You can construct a file so that if you "cat" it, paste data is sent to >xterm, followed by the paste command, which would then send the data right >to the shell prompt. I'm looking for suggestions for this. > >In one sense it's not so bad, because for public data like mail and news, >programs do not allow ESC sequences to be sent to the terminal. Also I >remember actual terminals (real VT100s I think) which had this same problem >(answer back string), but there was a mode to disable it. > >The second problem is this: XTerm will appear to lock up if you send ESC [ 1 >y (if you cat a binary file which has it, for example). I think this can be >fixed: I could change it so that every 8th character has to be an ESC, >otherwise the mode is aborted. > > >>"Dr. David Alan Gilbert" <[EMAIL PROTECTED]> wrote: > >>Is this secure? It just seems that it allows a series of escape >>characters to insert an arbitrary string into the input buffer; >>or are there enough sequences which would let you do this anyway? > >Joe > Joe _______________________________________________ Devel mailing list Devel@XFree86.Org http://XFree86.Org/mailman/listinfo/devel
