From: Michael Conrad
> Sent: 03 July 2024 01:29
>
> The underlying root problem here is the same as SQL injection or HTML
> cross-site scripting attacks. You have data, and you emit it in a
> context that is expecting a language/protocol of some sort, not raw
> data. You then need to escape anything in your data that could be
> misinterpreted as the protocol. We're really lucky that there isn't any
> way to make a TTY execute commands or delete files or grant user
> permissions.
I'm sure some terminals supported an escape sequences to write the
terminal 'answerback' message.
(You might need to back to 1980's async terminals.)
Having 'ls' generate the answerback message (unlikely on anything recent)
is mighty confusing - even when not malicious.
David
-
Registered Address Lakeside, Bramley Road, Mount Farm, Milton Keynes, MK1 1PT,
UK
Registration No: 1397386 (Wales)
_______________________________________________
busybox mailing list
busybox@busybox.net
http://lists.busybox.net/mailman/listinfo/busybox
