On Fri, Oct 31, 2025 at 6:42 AM Nicolas George <[email protected]> wrote: > Vincent Lefevre (HE12025-10-31): > > But that's potentially insecure as this could yield arbitrary > > escape sequences to the terminal, which could do bad things. > That has been disabled for eons.
Some of us still have terminal(s) that are "eons" old. E.g. My Cromemco C3102 terminal, it has various such control/escape sequences. One of them basically says interpret the following as hex data to be loaded into RAM, load it into RAM, and run it (the C3102 is a relatively intelligent terminal for its day, and has a 6502 microprocessor in it - and of course [E[E]]PROM(s) and RAM). And many terminals will commonly have control/escape sequences that tell the terminal to output some or all of the content on the screen - those were the most common such control/escape sequences to be exploited, e.g. data to clear the screen enter a command one wants the victim user to execute, e.g. to compromise their account, or the host, send sequence to tell the terminal to output its screen contents, that contents is then sent, quite as if the user had typed it in on the keyboard. So, sure, these days, those aren't as much a concern as they once were, but the concerns are also not entirely moot, as one can't necessarily ensure what type of terminal or emulation is/isn't or will/won't be used or ever used.
