> This is of course a harmless PoC and you can try it out using docker pull vin01/escape-seq-test:latest --platform darwin/arm64 or docker run --rm vin01/escape-seq-test and you should see the injected link as shown below.
Wow, I wouldn't have expected `docker pull` in particular to allow arbitrary content injection. Does anyone know of any tools which scan images being pulled before passing them over to `docker` for processing?
> I wouldn't have expected `docker pull` in particular to allow arbitrary content injection.
Having read Docker source code and seen a repetitive pattern of silly mistakes with dire consequences, I emphatically would expect it to have such, and many other similar, issues.
My personal favorite is still the time they computed a hash of a download, but then failed to compare it to anything.
Electron beatings will continue for as long as making a proper GUI for major platforms requires learning three different languages and four different UI toolkits, where every one of them is less flexible and harder to use than the web stack.
For developers Electron is the easiest way to have a portable UI, with very flexible and capable styling, decent text rendering, animations, and a layout and rendering engine optimized for a very broad range of use-cases, with fantastic developer tools.
Would it help if SSH clients don't pass TERM variable to identify that current terminal is capable of handling "\e]8" ? I assume TERM is how the remote application know that this exploit is available.
I also assume that this vulnerability is meant for remote apps accessed via SSH or similar, since a compromised app that is executed locally probably have easier exploits (they might just run calculator or whatever directly without going through escape sequences, for example).
AFAIK, the remote applications simply do an isatty() check on the stdout and that's it; a proper terminal is then apparently expected to correctly skip and quietly ignore any OSC sequence it does not understand. See the source of ls [0], for example.
>Any links using those schemes when clicked, would open the MacOS terminal to perform the corresponding action.
I'm unclear which of these are being described:
1: when printed and clicked, they may be handled by the terminal, and the terminal's handling allows more behaviors than it should, allowing code execution
2: when printed, these urls are automatically executed by the shell, allowing code execution
Neither are good of course, but they're different levels of badness, and I feel like I must be missing a single critical word somewhere to be able to figure out which it is.
---
That said, oh boy I do not want this:
>Most terminal emulators these days allow using Osc 8 to directly generate hyperlinks from arbitrary text.
Is there a standard way to disable it? That sounds awful, terminals don't have even a small fraction of browsers' malicious-link-defense mechanisms (as demonstrated). I always want to see the full url in a terminal.
Huh, I just disabled it in Preferences and kept on rolling. This is the other viable option: Settings->Pointer->General and disable cmd-click opens filename/URL.
I had just gotten the upgrade notification for 3.5.0 a few minutes ago. I scrolled through the release notes a bit and got to the "AI" section and I would like very much to get off this ride. I am grumpy and a terminal should be a terminal.
Features of iTerm2 I don't use and don't think belong in a terminal emulator:
- tmux integration
- shell integration
- ssh integration
- password manager integration
- hooks
- syntax highlighting *that's baked into the terminal*
- installing its own python runtimes (?!)
- ~blindly~ opening URLs when rendering a certain escape sequence [0]
- fullscreen without using MacOS's spaces implementation of fullscreen
.... This got away from me and went from grumpy muttering to a snarky rant. I like iTerm2, it's just starting to feel like somebody else's terminal, that's all.
Edit: tried to cross out "blindly" above, it does ask you whether you want to open the URL, though it offers to always allow it for that host which seems like it might be iffy, but at least if I never click "always allow", I'll be notified if anything tries to inject this OSC sequence.
Just to double-check: you know that option-clicking on the green fullscreen icon does something close to fullscreen-without-spaces-implementation right?
Honestly I never understood the need to replace macOS Terminal. I'm heavy terminal user, that's my most used application by far. But macOS Terminal is absolutely fine for my needs and I never felt the need for any additional features.
Huh? Typing passwords would be a nice feature, nicer than the myriad of other ancient teletype control codes. Something like ^p (type password) ^P (return to terminal).
leftcenterright|1 year ago
Wow, I wouldn't have expected `docker pull` in particular to allow arbitrary content injection. Does anyone know of any tools which scan images being pulled before passing them over to `docker` for processing?
yencabulator|1 year ago
Having read Docker source code and seen a repetitive pattern of silly mistakes with dire consequences, I emphatically would expect it to have such, and many other similar, issues.
My personal favorite is still the time they computed a hash of a download, but then failed to compare it to anything.
adrianceleste|1 year ago
unknown|1 year ago
[deleted]
lxgr|1 year ago
> Hyper is an Electron-based terminal
Why!?
pornel|1 year ago
For developers Electron is the easiest way to have a portable UI, with very flexible and capable styling, decent text rendering, animations, and a layout and rendering engine optimized for a very broad range of use-cases, with fantastic developer tools.
omoikane|1 year ago
I also assume that this vulnerability is meant for remote apps accessed via SSH or similar, since a compromised app that is executed locally probably have easier exploits (they might just run calculator or whatever directly without going through escape sequences, for example).
Joker_vD|1 year ago
[0] https://github.com/coreutils/coreutils/blob/2a72cf1e9959f40b...
yencabulator|1 year ago
Groxx|1 year ago
I'm unclear which of these are being described:
1: when printed and clicked, they may be handled by the terminal, and the terminal's handling allows more behaviors than it should, allowing code execution
2: when printed, these urls are automatically executed by the shell, allowing code execution
Neither are good of course, but they're different levels of badness, and I feel like I must be missing a single critical word somewhere to be able to figure out which it is.
---
That said, oh boy I do not want this:
>Most terminal emulators these days allow using Osc 8 to directly generate hyperlinks from arbitrary text.
Is there a standard way to disable it? That sounds awful, terminals don't have even a small fraction of browsers' malicious-link-defense mechanisms (as demonstrated). I always want to see the full url in a terminal.
vin10|1 year ago
Repulsion9513|1 year ago
eviks|1 year ago
classified|1 year ago
HunterWare|1 year ago
cobbal|1 year ago
philsnow|1 year ago
> Upgrade to iTerm2 3.5.0
I had just gotten the upgrade notification for 3.5.0 a few minutes ago. I scrolled through the release notes a bit and got to the "AI" section and I would like very much to get off this ride. I am grumpy and a terminal should be a terminal.
Features of iTerm2 I don't use and don't think belong in a terminal emulator:
[0] https://gitlab.com/gnachman/iterm2/-/issues/10994 the discussion in there makes it seem like it's okay because many schemes that aren't http[s] cause the browser to open a dialog boxFeatures of iTerm2 I use:
.... This got away from me and went from grumpy muttering to a snarky rant. I like iTerm2, it's just starting to feel like somebody else's terminal, that's all.Edit: tried to cross out "blindly" above, it does ask you whether you want to open the URL, though it offers to always allow it for that host which seems like it might be iffy, but at least if I never click "always allow", I'll be notified if anything tries to inject this OSC sequence.
shzhdbi09gv8ioi|1 year ago
It is cross OS (learn once and use the same terminal in Windows, macOS and Linux), actively developed and written in rust
robin_reala|1 year ago
Tyr42|1 year ago
make3|1 year ago
lxgr|1 year ago
What's keeping you? It sounds like you want a much more lightweight terminal emulator that iTerm, which is totally fair, and I bet that exists!
sebzim4500|1 year ago
vbezhenar|1 year ago
GoblinSlayer|1 year ago