VT100 terminals (which all modern terminal emulators emulate to some extent) supported a number of problematic commands, but modern emulators or distributions disable the more problematic and less useful ones. Here's a non-exhaustive list of potentially risky escape sequences (not including the ones that merely make the display unreadable in some way):
- The arbitrary log file commands in rxvt and Eterm reported by H.D. Moore. These are indeed major bugs, fortunately long fixed.
- The answerback command, also known as Return Terminal Status, invoked by
ENQ
(Ctrl+E
). This inserts text into the terminal as if the user had typed it. However, this text is not under control of the attacker: it is the terminal's own name, typically something like xterm
or screen
. On my system (Debian squeeze), xterm returns the empty string by default (this is controlled by the answerbackString
resource).
- The Send Device Attributes commands,
ESC [ c
and friends. The terminal responds with ESC [ … c
(where the …
can contain digits and ASCII punctuation marks only). This is a way of querying some terminal capabilities, mostly obsolete but perhaps used by old applications. Again, the terminal's response is indistinguishable from user input, but it is not under control of the attacker. The control sequence might look like a function key, but only if the user has an unusual configuration (none of the usual settings I've encountered has a valid function key escape sequence that's a prefix of the terminal response).
- The various device control functions (DCS escapes, beginning with
ESC P
).
- I don't know what harm can be done through
DECUDK
(set user-defined keys) on a typical terminal emulator.
DECRQSS
(Request Status String) is yet another command to which the terminal responds with an escape sequence, this time beginning with \eP
; this can be problematic since \eP
is a valid key (Alt+Shift+P).
- Xterm has two more experimental features:
ESC P + p …
and ESC P + q …
, to get and set termcap strings. From the description, this might be used at least to modify the effect of function keys.
- Several status report commands:
ESC [ … n
(Device Status Report). The terminal responds with an escape sequence. Most of these escape sequences don't correspond to function key escape sequences. One looks problematic: the report to ESC [ 6 n
is of the form ESC [ x ; y R
where x
and y
are digit sequences, and this could look like F3 with some modifiers.
- Window manipulation commands
ESC [ … t
.
- Some of these allow the xterm window to be resized, iconified, etc., which is disruptive.
- Some of these cause the terminal to respond with either a escape sequence. Most of these escape sequences look low-risk, however there are two dangerous commands: the answers to
ESC [ 2 0 t
and ESC [ 2 1 t
include the terminal window's icon label and title respectively, and the attacker can choose these.
- At least under Debian squeeze, xterm ignores these commands by default; they can be enabled by setting the
allowWindowOps
resource, or selectively through the disallowedWindowOps
resource. Gnome-terminal under Ubuntu 10.04 implements even the title answerbacks by default. I haven't checked other terminals or versions.
- Commands to set the terminal title or icon name. Under xterm and most other X terminals, they are
ESC ] digit ; title ESC \
. Under Screen, the escape sequence is ESC k title ESC \
. I find the concern over these commands overrated. While they do allow some amount of mischief, any web page has the same issue. Acting on a window based solely on its title and not on its class is akin to opening a file whose name was given to you by an untrusted party, or not quoting a variable expansion in a shell script, or patting a rabid dog on the nose — don't complain if you get bitten.
I find Varnish's response disingenuous. It's feels like it's either trying to shift the blame, or in security nazi mode (any security concern, genuine or not, justifies blackballing a feature).
The wisdom of terminal-response-escapes in general have been questioned
at regular intervals, but still none of the major terminal emulation
programs have seen fit to discard these sequences, probably in a
misguided attempt at compatibility with no longer used 1970'es
technology. (…)
Instead of blaming any and all programs which writes logfiles, it would
be much more productive, from a security point of view, to get the
terminal emulation programs to stop doing stupid things, and thus fix
this and other security problems once and for all.
Many of the answerbacks are useful features: an application does need to know things like the cursor position and the window size. Setting the window title is also very useful. It would be possible to rely entirely on ioctl
calls for these, however this would have required additional code and utilities to make these ioctl
calls and transate them into unix-style text passing on file descriptors. Changing these interfaces now would be a lot of work, for little benefit.
Text files are not supposed to contain non-printing characters such as control characters. Log files are generally expected to be text files. Log files should not contain control characters.
If you're worried that a file might contain escape sequences, open it in an editor, or view it with less
without the -r
or -R
option, or view it through cat -v
.
If using bash
, the following should do the trick:
TOLASTLINE=$(tput cup "$LINES")
PS1="\[$TOLASTLINE\]$PS1"
Or (less efficient as it runs one tput
command before each prompt, but works after the terminal window has been resized):
PS1='\[$(tput cup "$LINES")\]'$PS1
To prevent tput
from changing the exit code, you can explicitly save and reset it:
PS1='\[$(retval=$?;tput cup "$LINES";exit $retval)\]'$PS1
Note that the variable retval
is local; it doesn't affect any retval
variable you might have defined otherwise in the shell.
Since most terminals cup
capability is the same \e[y;xH
, you could also hardcode it:
PS1='\[\e[$LINES;1H\]'$PS1
If you want it to be safe against later resetting of PS1, you can also utilize the PROMPT_COMMAND
variable. If set, it is run as command before the prompt is output. So the effect can also be achieved by
PROMPT_COMMAND='(retval=$?;tput cup "$LINES";exit $retval)'
Of course, while resetting PS1
won't affect this, some other software might also change PROMPT_COMMAND
.
Best Answer
An X resource name consists of a list of components separated by periods. Each component can be either an instance name or a class name. Instances identify a specific component (e.g. the third button on the top row) while classes identify a type of components (e.g. all buttons in the main window). By convention, class names begin with an uppercase letter and instance names begin with a lowercase letter. See Doubts about creating a .Xresources file. or the read the X documentation for more details.
The first component of a resource name is the application. At this level, the class name some application name chosen by the author of the application; for Xterm, that's
XTerm
(by convention, for applications called X Foo, the second letter is also capitalized). The instance name is, by default, the name of the executable file used to launch the application. Conventional X applications support command line options-name
and-class
to override these default values.When you start Xterm through a symbolic link, this changes the name of the executable file (it's the name you use that matters, or more precisely the name that the calling processes passes in argument 0). Thus the instance name (used, among other less visible things, for resource lookup) changes. If you want your settings to apply regardless of the name used to invoke Xterm, define your resources (in
~/.Xresources
or whatever file you chose to put them) through the class, e.g.instead of through the instance (
).xterm.VT100.background