top | item 30540868 (no title) tekromancr | 4 years ago What security implications does running curl have that wouldn't be present in a browser? discuss order hn newest feanaro|4 years ago There have been instances of terminal vulnerabilities via terminal escape codes, as bad as an RCE in iterm2: https://blog.mozilla.org/security/2019/10/09/iterm2-critical.... I suppose the OP is thinking of something like that. tekromancr|4 years ago Yea, I was wondering about that; but the risk feels similar to a browser RCE to me. Maybe it's higher because browsers are more widely used/analyzed; but then again, a browser RCE has a much wider range of targets with more opportunities to exploit load replies (1) laumars|4 years ago And this is exactly why I’m always playing the damp squid when people advocate for more features being supported via shell escape codes. artursapek|4 years ago I’m wondering the same. You’re not piping them into a shell.
feanaro|4 years ago There have been instances of terminal vulnerabilities via terminal escape codes, as bad as an RCE in iterm2: https://blog.mozilla.org/security/2019/10/09/iterm2-critical.... I suppose the OP is thinking of something like that. tekromancr|4 years ago Yea, I was wondering about that; but the risk feels similar to a browser RCE to me. Maybe it's higher because browsers are more widely used/analyzed; but then again, a browser RCE has a much wider range of targets with more opportunities to exploit load replies (1) laumars|4 years ago And this is exactly why I’m always playing the damp squid when people advocate for more features being supported via shell escape codes.
tekromancr|4 years ago Yea, I was wondering about that; but the risk feels similar to a browser RCE to me. Maybe it's higher because browsers are more widely used/analyzed; but then again, a browser RCE has a much wider range of targets with more opportunities to exploit load replies (1)
laumars|4 years ago And this is exactly why I’m always playing the damp squid when people advocate for more features being supported via shell escape codes.
feanaro|4 years ago
tekromancr|4 years ago
laumars|4 years ago
artursapek|4 years ago