Bug#511431: xterm: wishlist allowSecurityRiskOps, allowEscSeqs
Package: xterm
Version: 222-1etch4
Severity: wishlist
Xterm uses allowWindowOps and allowFontOps, both defaulting to false,
see e.g.
http://bugs.debian.org/510030
(and references therein about this being an old and recurring problem).
Both resources disable many useful operations, so some people explicitly
turn them on; but then they are exposed to security risks. As an
enhancement, I propose a new resource
allowSecurityRiskOps
which (alone or in conjuntion with allowWindowOps and allowFontOps)
would control security-relevant parts ("whacking" un-sanitized strings
into the input buffer, set X properties and UDK, maybe paste64, VT200
modes, or re-enable setting the answerback message). Then (most of) the
functionality of allowWindowOps and allowFontOps could safely be turned
on (maybe by default even?), and it would be clear what is dangerous.
---
Occasionally I foolishly do "cat binary-file" and get annoyed by the
"1;2c" in the input buffer and/or the need to shift-M2 "soft reset"
and/or "stty sane" to proceed. As an enhancement, I propose a new
resource
allowEscSeqs
that would control interpretation of any ESC sequences (except maybe
arrow keys); then paranoid people (who have no use for VT100 features)
could turn that off.
---
I do not attach patches to implement the above, do not want another
rejection of "your code is incorrect".
Cheers,
Paul Szabo psz@maths.usyd.edu.au http://www.maths.usyd.edu.au/u/psz/
School of Mathematics and Statistics University of Sydney Australia
-- System Information:
Debian Release: 4.0
APT prefers stable
APT policy: (500, 'stable')
Architecture: i386 (i686)
Shell: /bin/sh linked to /bin/bash
Kernel: Linux 2.6.24-pk03.02-svr
Locale: LANG=C, LC_CTYPE=C (charmap=ANSI_X3.4-1968)
Versions of packages xterm depends on:
ii libc6 2.3.6.ds1-13etch8 GNU C Library: Shared libraries
ii libfontconfig1 2.4.2-1.2 generic font configuration library
ii libice6 1:1.0.1-2 X11 Inter-Client Exchange library
ii libncurses5 5.5-5 Shared libraries for terminal hand
ii libsm6 1:1.0.1-3 X11 Session Management library
ii libx11-6 2:1.0.3-7 X11 client-side library
ii libxaw7 1:1.0.2-4 X11 Athena Widget library
ii libxext6 1:1.0.1-2 X11 miscellaneous extension librar
ii libxft2 2.1.8.2-8 FreeType-based font drawing librar
ii libxmu6 1:1.0.2-2 X11 miscellaneous utility library
ii libxt6 1:1.0.2-2 X11 toolkit intrinsics library
ii xbitmaps 1.0.1-2 Base X bitmaps
Versions of packages xterm recommends:
ii xutils 1:7.1.ds.3-1 X Window System utility programs
-- no debconf information
Reply to: