On February 7, 2018 11:53 AM, Andreas Schwab wrote: > On Feb 06 2018, "Randall S. Becker" <rsbecker@xxxxxxxxxxxxx> wrote: > > > What I don't know - and it's not explicitly in the CVE - is just how > > many other terminal types with similar vulnerabilities are out there, > > but I'm suspecting it's larger than one would guess - mostly, it seems > > like this particular sequence is intended to be used for writing > > status line output (line 25?) instead of sticking it in a prompt. This > > can be used prettifies a lengthy bash prompt to display the current > > branch and repository at the bottom of the screen instead of in the > > inline prompt, but that's the user's choice and not something git has > > to deal with. There were some green-screen terminals with other weird > > ESC sequences back in the day that could really get into trouble with > > this, including loading/executing programs in terminal memory via > > output - really. I'm sure it seemed like a good idea at the time, but I can see > how it could have been used for evil. > > Do you also want to block "+++AT"? :-) Oh dear. Oh dear. You *do* know that actually could be bad. I wonder how many git users are still using dial-up to clone/push. Of course, they would probably not even see this message after trying to download it. Chuckles, Randall -- Brief whoami: NonStop developer since approximately 211288444200000000 UNIX developer since approximately 421664400 -- In my real life, I talk too much.
