Re: CP1252 under Unix

From: Valeriy E. Ushakov (uwe@ptc.spbu.ru)
Date: Sat Mar 25 2000 - 17:10:27 EST


On Sat, Mar 25, 2000 at 12:37:45PM -0800, Frank da Cruz wrote:

> > Taking my spare-time character-set fanatic hat off and putting my
> > day-job computer security hat on for a moment, I'd strongly advise Frank
> > (and developers of email software that runs in VT100 emulators) to
                       ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
> > ensure that only the following C0/C1 characters received from outside
> > the ivory tower ever be forwarded to the terminal...
>
> Markus, what does your own UTF-8 Xfree86 VT220-emulating xterm do? On the
> one hand you can use it to log in to VMS, which makes serious use of C1
> controls. On the other hand you can use it to read mail that contains
> "smart quotes". Which of these works? They can't both work. If it works
> for "smart quotes", then you must have deliberately broken the standards-
> conforming aspect that lets it emulate VT320 and above and therefore work
> with VMS, which means it can no longer claim to be a VT220.

As a proud owner of a real vt220 (that used to be my primary display
device here at home for quite some time) I can assure you that Markus
is 100% correct here. E.g. tin(1) newsreader used to be very
simplistic in its handling of charsets (it seems it's improving now),
so every now and then it was just spewing CP1251 characters from C1
onto my poor vt220 with assortment of funny after-effects.

Sure, you can do a lot of useful things with your VT by using terminal
commands, like downloading fonts (which I have to do to use Cyrillic)
etc. But what Markus refers to, I believe, is that you don't want a
random email message or a news posting to download a new font into
your VT, reprogram your UDK and drink all the beer in your fridge.
Think of it in terms of disabling JavaScript in Mail/News option
present in IE or Netscape.

E.g. I believe I saw an example attack that used talkd(8) to spew some
interesting stuff onto your terminal as the login name of the caller.
You can be really creative with terminal controls, not much less that
with all those JavaScript exploits.

SY, Uwe

-- 
uwe@ptc.spbu.ru                         |       Zu Grunde kommen
http://www.ptc.spbu.ru/~uwe/            |       Ist zu Grunde gehen



This archive was generated by hypermail 2.1.2 : Tue Jul 10 2001 - 17:21:00 EDT