My understanding is that all of these terminal emulators derive the ASCII control code behaviors and ANSI escape sequences from the VT100 standard. I also understand that there is an ANSI standard for terminal behavior that is based on either VT100 or VT102. Am I correct in this understanding? Also, what other features or behaviors are derived from VT100?
Terminal – Extent of VT100 Basis in Xterm, Xterm-Color, and Linux Terminal Emulators
historyterminalterminal-emulatorxterm
Related Solutions
VT100 terminals (which all modern terminal emulators emulate to some extent) supported a number of problematic commands, but modern emulators or distributions disable the more problematic and less useful ones. Here's a non-exhaustive list of potentially risky escape sequences (not including the ones that merely make the display unreadable in some way):
- The arbitrary log file commands in rxvt and Eterm reported by H.D. Moore. These are indeed major bugs, fortunately long fixed.
- The answerback command, also known as Return Terminal Status, invoked by
ENQ
(Ctrl+E
). This inserts text into the terminal as if the user had typed it. However, this text is not under control of the attacker: it is the terminal's own name, typically something likexterm
orscreen
. On my system (Debian squeeze), xterm returns the empty string by default (this is controlled by theanswerbackString
resource). - The Send Device Attributes commands,
ESC [ c
and friends. The terminal responds withESC [ … c
(where the…
can contain digits and ASCII punctuation marks only). This is a way of querying some terminal capabilities, mostly obsolete but perhaps used by old applications. Again, the terminal's response is indistinguishable from user input, but it is not under control of the attacker. The control sequence might look like a function key, but only if the user has an unusual configuration (none of the usual settings I've encountered has a valid function key escape sequence that's a prefix of the terminal response). - The various device control functions (DCS escapes, beginning with
ESC P
).- I don't know what harm can be done through
DECUDK
(set user-defined keys) on a typical terminal emulator. DECRQSS
(Request Status String) is yet another command to which the terminal responds with an escape sequence, this time beginning with\eP
; this can be problematic since\eP
is a valid key (Alt+Shift+P).- Xterm has two more experimental features:
ESC P + p …
andESC P + q …
, to get and set termcap strings. From the description, this might be used at least to modify the effect of function keys.
- I don't know what harm can be done through
- Several status report commands:
ESC [ … n
(Device Status Report). The terminal responds with an escape sequence. Most of these escape sequences don't correspond to function key escape sequences. One looks problematic: the report toESC [ 6 n
is of the formESC [ x ; y R
wherex
andy
are digit sequences, and this could look like F3 with some modifiers. - Window manipulation commands
ESC [ … t
.- Some of these allow the xterm window to be resized, iconified, etc., which is disruptive.
- Some of these cause the terminal to respond with either a escape sequence. Most of these escape sequences look low-risk, however there are two dangerous commands: the answers to
ESC [ 2 0 t
andESC [ 2 1 t
include the terminal window's icon label and title respectively, and the attacker can choose these. - At least under Debian squeeze, xterm ignores these commands by default; they can be enabled by setting the
allowWindowOps
resource, or selectively through thedisallowedWindowOps
resource. Gnome-terminal under Ubuntu 10.04 implements even the title answerbacks by default. I haven't checked other terminals or versions.
- Commands to set the terminal title or icon name. Under xterm and most other X terminals, they are
ESC ] digit ; title ESC \
. Under Screen, the escape sequence isESC k title ESC \
. I find the concern over these commands overrated. While they do allow some amount of mischief, any web page has the same issue. Acting on a window based solely on its title and not on its class is akin to opening a file whose name was given to you by an untrusted party, or not quoting a variable expansion in a shell script, or patting a rabid dog on the nose — don't complain if you get bitten.
I find Varnish's response disingenuous. It's feels like it's either trying to shift the blame, or in security nazi mode (any security concern, genuine or not, justifies blackballing a feature).
The wisdom of terminal-response-escapes in general have been questioned at regular intervals, but still none of the major terminal emulation programs have seen fit to discard these sequences, probably in a misguided attempt at compatibility with no longer used 1970'es technology. (…)
Instead of blaming any and all programs which writes logfiles, it would be much more productive, from a security point of view, to get the terminal emulation programs to stop doing stupid things, and thus fix this and other security problems once and for all.
Many of the answerbacks are useful features: an application does need to know things like the cursor position and the window size. Setting the window title is also very useful. It would be possible to rely entirely on ioctl
calls for these, however this would have required additional code and utilities to make these ioctl
calls and transate them into unix-style text passing on file descriptors. Changing these interfaces now would be a lot of work, for little benefit.
Text files are not supposed to contain non-printing characters such as control characters. Log files are generally expected to be text files. Log files should not contain control characters.
If you're worried that a file might contain escape sequences, open it in an editor, or view it with less
without the -r
or -R
option, or view it through cat -v
.
Originally, "tty" had two definitions: the hardware (now the emulator) and the driver (interfaced through /dev/pty* or /dev/tty*).
The hardware/emulator was/is responsible for:
- Taking a stream of data and presenting it; this included interpreting control sequences like "move cursor left", "blinking cursor", "clear-screen" although these control sequences were often different among manufacturers.
- Sending keycodes for keys typed by the user; most of these were standard ASCII characters, but some terminals sent propriety keycodes for even standard keys.
The 'tty' driver was responsible for:
- Managing the buffering, in raw or canonical mode; for example, buffering a line of characters until Enter is pressed.
- Managing the control flow; e.g. being able to stop/continue with Cntl-s/Cntl-q.
- Translating propriety keycodes to standard ASCII, where applicable.
- Intercepting certain control characters (like Cntl-c and Backspace) and processing them appropriately (send SIGINT on a Cntl-c or signal an EOF on Cntl-d.
- Canonical display of characters, for example, if
echo
is turned off, then do not send feedback (character typed) back to the terminal.
The terminfo and termcap databases managed what terminal control characters should be sent for an operation (like 'clear-screen'). These control sequences were/are not interpreted by the driver, but by the hardware/emulator.
Related Question
- What’s the right value of $TERM for emacs’ ansi-term, especially if ‘eterm-color’ isn’t available after SSH
- Terminal – Why Using Cat on Binary Files Messes Up the Terminal
- Bash – Bind C-i and TAB keys to different commands in terminal applications via .inputrc
- Linux TTY – Echoed Escape Sequences Not Interpreted
Best Answer
While there were several popular terminals during the 1970s and 1980s, for whatever reason the original developers of xterm starting in the late 1980s chose to use vt100 as a model. From the outset there were differences (such as the alternate screen mode, which may have been influenced by Hewlett Package terminals).
ANSI x3.64 was not based on vt100; DEC was one of several manufacturers who participated in developing the standard. Like most standards, it is compromise. Much of vt100 corresponds to the ANSI x3.64 standard, replaced long ago by ISO-6429 (ECMA-48). It implements perhaps a quarter of ECMA-48, and provides some features not in the standard.
Some features of vt100 not in the standard include:
You've used two of those three, knowing or not. ECMA-48 describes different controls for scrolling which vt100 did not implement, but are supported in xterm (and some of the xterm imitators).
Other ANSI-compliant terminals such as Sun's console emulator did not implement these features (and sending the scrolling region escape there has interesting results).
Strictly speaking, the vt100 did not support the controls for inserting and deleting lines. That was done in vt102 (which is what most people think of as "vt100"). They're part of a series: a complete vt100 emulator can emulate vt52, vt220 can emulate vt100, vt420 can emulate vt220 / vt100 / vt52.
By the mid-1990s, xterm had some of the character-set switching features associated with vt220. Further development added all but soft fonts from the vt220 repertoire (like double-sized characters, this is not used from many programs other than vttest). This is summarized in the manual page section on Emulations.
While ISO-6429 defined color escape sequences, those were not supported by the vt100/vt220 models. Those were supported in the vt525 model, which I've been told was designed and manufactured by Wyse. Neither DEC nor Wyse has made terminals for quite a while, and the behavior of colors in that terminal had no impact on the development of xterm. That had some influence from Linux console — but Linux console's color palette escapes fall completely outside any standard. Its color selection escapes are based on ANSI, but likely in imitation of AT&T (and SCO) consoles rather than by reading the standard itself.