Skip to content

Commit a94e6b2

Browse files
migueldeicazamigueldeicaza
committed
Fix two possible attack vectors, where an attacker can store
information into the termianl and then get to replay it. Two of those instances are setting the terminal title, and icon title, and then requesting the values back (see CVE-2003-0063[2] and https://marc.info/?l=bugtraq&m=104612710031920&w=2 for details). And another case is sending an invalid DECRQSS sequence, which the handler would respond back with the results, see here for how this is used: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=510030 CVE-2008-2383[3] These bugs were found and disclosed by David Leadbeater <[email protected]> (@dgl at Github.com)
1 parent 9f5081f commit a94e6b2

File tree

1 file changed

+9
-5
lines changed

1 file changed

+9
-5
lines changed

Sources/SwiftTerm/Terminal.swift

Lines changed: 9 additions & 5 deletions
Original file line numberDiff line numberDiff line change
@@ -705,7 +705,9 @@ open class Terminal {
705705
ok = 0 // this means the request is not valid, report that to the host.
706706
// invalid: DCS 0 $ r Pt ST (xterm)
707707
terminal.log ("Unknown DCS + \(newData!)")
708-
result = newData ?? ""
708+
// Do not report 'newData', because it can be exploited
709+
// see https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=510030
710+
result = ""
709711

710712
}
711713
terminal.sendResponse (terminal.cc.DCS, "\(ok)$r\(result)", terminal.cc.ST)
@@ -2638,11 +2640,13 @@ open class Terminal {
26382640
sendResponse(cc.CSI, "9;\(rows);\(cols)t")
26392641
}
26402642
case [20]:
2641-
let it = iconTitle.replacingOccurrences(of: "\\", with: "")
2642-
sendResponse (cc.OSC, "L\(it)", cc.ST)
2643+
// Do not report the actual title back, as it can be exploited,
2644+
// https://marc.info/?l=bugtraq&m=104612710031920&w=2
2645+
sendResponse (cc.OSC, "L", cc.ST)
26432646
case [21]:
2644-
let tt = terminalTitle.replacingOccurrences(of: "\\", with: "")
2645-
sendResponse (cc.OSC, "l\(tt)", cc.ST)
2647+
// Do not report the actual content of the title back, as it can be exploited,
2648+
// https://marc.info/?l=bugtraq&m=104612710031920&w=2
2649+
sendResponse (cc.OSC, "l", cc.ST)
26462650
case [22, 0]:
26472651
terminalTitleStack = terminalTitleStack + [terminalTitle]
26482652
terminalIconStack = terminalIconStack + [iconTitle]

0 commit comments

Comments
 (0)