Re: The ls command

To: debian-user@lists.debian.org
Subject: Re: The ls command
From: Michael Paoli <michael.paoli@berkeley.edu>
Date: Fri, 31 Oct 2025 10:14:06 -0700
Message-id: <[🔎] CAPU_E+eT47-rzn+hAxFMeHawMLnX_wjwREMNHZj3t_bdQ+V=uQ@mail.gmail.com>
In-reply-to: <[🔎] aQS8sMMCSDOrnVf9@phare.normalesup.org>
References: <[🔎] CAN+UU9o756vQg1KPz13cjx0hDun55RLrxA5a-=4Nwco66UYo5A@mail.gmail.com> <[🔎] qor057n1-snrn-4r27-6r29-27qqoq7q06so@cebgbaznvy.pbz> <[🔎] 20251030160422.GA29005@cventin.lip.ens-lyon.fr> <[🔎] CAN+UU9peV-khbsakCcO+VMtAMo3Vki_mxnDFLtm9ebwn=SSiyA@mail.gmail.com> <[🔎] aQOi1U8bqKy9k0SG@phcomp.co.uk> <[🔎] 20251031032606.GC957218@qaa.vinc17.org> <[🔎] 20251031034354.GK29520@wooledge.org> <[🔎] CAMPXz=rUdJtvVRqLMtyuZyiJpuvNyAMxpkJt3Y7q5QsZbG0NKw@mail.gmail.com> <[🔎] 20251031133344.GA123970@cventin.lip.ens-lyon.fr> <[🔎] aQS8sMMCSDOrnVf9@phare.normalesup.org>

On Fri, Oct 31, 2025 at 6:42 AM Nicolas George <george@nsup.org> wrote:
> Vincent Lefevre (HE12025-10-31):
> > But that's potentially insecure as this could yield arbitrary
> > escape sequences to the terminal, which could do bad things.
> That has been disabled for eons.

Some of us still have terminal(s) that are "eons" old.
E.g. My Cromemco C3102 terminal,
it has various such control/escape sequences.
One of them basically says interpret the following as hex data to
be loaded into RAM, load it into RAM, and run it
(the C3102 is a relatively intelligent terminal for its day,
and has a 6502 microprocessor in it - and of course
[E[E]]PROM(s) and RAM).
And many terminals will commonly have control/escape sequences
that tell the terminal to output some or all of the content on the
screen - those were the most common such control/escape
sequences to be exploited, e.g. data to
clear the screen
enter a command one wants the victim user to execute, e.g. to compromise
their account, or the host,
send sequence to tell the terminal to output its screen contents,
that contents is then sent, quite as if the user had typed it in on
the keyboard.

So, sure, these days, those aren't as much a concern as they once were,
but the concerns are also not entirely moot, as one can't necessarily
ensure what type of terminal or emulation is/isn't or will/won't be used
or ever used.

Reply to:

Follow-Ups:
- Re: The ls command
  - From: Vincent Lefevre <vincent@vinc17.net>

References:
- The ls command
  - From: Michael <rapidmailservice@gmail.com>
- Re: The ls command
  - From: fxkl47BF@protonmail.com
- Re: The ls command
  - From: Vincent Lefevre <vincent@vinc17.net>
- Re: The ls command
  - From: Michael <rapidmailservice@gmail.com>
- Re: The ls command
  - From: alain williams <addw@phcomp.co.uk>
- Re: The ls command
  - From: Vincent Lefevre <vincent@vinc17.net>
- Re: The ls command
  - From: Greg Wooledge <greg@wooledge.org>
- Re: The ls command
  - From: David <bouncingcats@gmail.com>
- Re: The ls command
  - From: Vincent Lefevre <vincent@vinc17.net>
- Re: The ls command
  - From: Nicolas George <george@nsup.org>

Prev by Date: Re: The ls command
Next by Date: Re: The ls command
Previous by thread: Re: The ls command
Next by thread: Re: The ls command
Index(es):
- Date
- Thread