https://bugs.kde.org/show_bug.cgi?id=379294
Grósz Dániel <[email protected]> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |[email protected] --- Comment #11 from Grósz Dániel <[email protected]> --- (In reply to Egmont Koblinger from comment #6) > If an email client emits the email's contents raw as-is (including control > characters, escape sequences) to the terminal, than that is a serious > problem that should be reported and fixed as soon as possible. And yes, in > that case it's _that_ email client (or other console-based app) to blame! An obvious example of a tool that sends arbitrary data to the terminal without filtering escape sequences is cat. cat'ting an untrusted file shouldn't be a security vulnerability. Others include head and tee. Many programs such as find or ls filter escape sequences by default when sending output directly to a terminal, but not if they are piped into head or tee. There are so many ways untrusted data can end up printed to a terminal that I don't think it's practical to prevent them all. If outputting arbitrary data to the terminal causes security problems, IMO it's the terminals that should be fixed. Not the least because (safe) escape sequences can be useful for formatting even in untrusted text files. As far as I understand, most modern terminal emulators don't have really dangerous escape sequences; the sequences the terminal may respond with as keystrokes generally don't correspond to actual keyboard input. That said, even if untrusted text can display unfiltered hyperlinks, it's not more dangerous than a website as long as dangerous URLs are not automatically opened. -- You are receiving this mail because: You are watching all bug changes.
