AcceptEnv LANG LC_* vs available locales

Philipp Marek philipp at marek.priv.at
Fri Apr 29 21:16:10 AEST 2022


>> But how could it use this to for code execution on the local machine?
> 
> By the remote attacker sending whatever of
> 
>   https://invisible-island.net/xterm/ctlseqs/ctlseqs.html
> 
> is most inconvenient for you, the user on the client?

Well, the only solution for that is to have a client that filters
the incoming control sequences (tmux was already mentioned?!).


Or use a remote terminal - like with mosh, which has a screen
on the remote side and only transfers the characters and colors -
so no local keyboard redefinitions, window title changes, etc.


More information about the openssh-unix-dev mailing list