AcceptEnv LANG LC_* vs available locales
Philipp Marek
philipp at marek.priv.at
Fri Apr 29 21:16:10 AEST 2022
>> But how could it use this to for code execution on the local machine?
>
> By the remote attacker sending whatever of
>
> https://invisible-island.net/xterm/ctlseqs/ctlseqs.html
>
> is most inconvenient for you, the user on the client?
Well, the only solution for that is to have a client that filters
the incoming control sequences (tmux was already mentioned?!).
Or use a remote terminal - like with mosh, which has a screen
on the remote side and only transfers the characters and colors -
so no local keyboard redefinitions, window title changes, etc.
More information about the openssh-unix-dev
mailing list