On Feb 06 2018, "Randall S. Becker" <rsbecker@xxxxxxxxxxxxx> wrote: > What I don't know - and it's not explicitly in the CVE - is just how many > other terminal types with similar vulnerabilities are out there, but I'm > suspecting it's larger than one would guess - mostly, it seems like this > particular sequence is intended to be used for writing status line output > (line 25?) instead of sticking it in a prompt. This can be used prettifies a > lengthy bash prompt to display the current branch and repository at the > bottom of the screen instead of in the inline prompt, but that's the user's > choice and not something git has to deal with. There were some green-screen > terminals with other weird ESC sequences back in the day that could really > get into trouble with this, including loading/executing programs in terminal > memory via output - really. I'm sure it seemed like a good idea at the time, > but I can see how it could have been used for evil. Do you also want to block "+++AT"? :-) Andreas. -- Andreas Schwab, schwab@xxxxxxxxxxxxxx GPG Key fingerprint = 58CA 54C7 6D53 942B 1756 01D3 44D5 214B 8276 4ED5 "And now for something completely different."
