It might, same as many other programs might produce quite unexpected results. For example take "apt-get update": DNS and HTTP transfer is not trusted, so arbitrary terminal commands can executed in the terminal. (If you do not have a MitM-framework at hand, just try the update using a standard Apache server with this rewrite rule and see the title of your terminal change: "RewriteRule ^/.* http://somehostename/xx\%41\%1b\%5d\%3btest\%07xxx [NE,B,R,L]" - another good reason to run your own mirrors on a network you can try to prevent MitM, perhaps over SSL.)

In my opinion, the user of the terminal might somehow also be at fault in those examples. Anyone performing an action should have an estimation, what probability of negative outcome of an action is acceptable. The probability is affected by two things: probability the user does not behave well (mistypes, forgets something, did not read all the manuals thus misusing the tools) or the software misbehaves (according to manual, it should do something else but it does not).

So if I do not really care about quality of my work, I do not fully read the manuals, I do not care about tool qualification and risk assessment, ..., so probability for such an unexpected software feature or bug (is it a bug? therefore the manual needs to state the correct behavior and I did not completely read it) should not be higher or near than my probability of failing. The probability of failing of course includes also the probability of presence of a malicious actor and his ability to raise the probability of failure due to attack surface of tools.

When trying to do things to be safe and secure, then you will care about your own quality of work (SOPs, automation, 4 eyes, ..) but also care about the risk of software failure and try to reduce it. On the terminal topic:

* Where relevant (remote maintenance, working with user supplied data, forensics of compromised equipment, ...) most likely everything is done within system virtualization with something sanitizing away unexpected data. Something like "screen sh -c 'exec bash | strings'" might come in handy or viewing files only with xxd (how likely is a 18kb binary linked to libc only to fail?). I guess it should be common sense, not to trust a some terminal being 10x the size and additionally linking 5 large libraries when it comes to work on something really valuable.

* As you are slowed down by those measures (controlsequences for highlighting, colors, try reading "man ls" that way), enabling some control sequences might also improve your quality of work. So you need to "trust" some program to do that for you, and probably you will trust some more than others. E.g. "screen" purpose is mostly screen multiplexing with control sequence sanitation, while in GUI-terminals it is only half of the program requirements.


Just for testing to see how hard it is to use all software correctly for the paranoid/malicious use case, use xterm to see the different outcomes of data sanitation measures. Try to avoid the crash from python -c 'print "\x1b]4;4;"+"A"*(1<<20)+"\x07"' . Your measures will themselves get quite annoying when working over SSH connections as local control stripping does not work nicely with remote connections and interactive terminals. With "ssh -T" you can at least read output of "ls" quite normal. It is really a pity, that SSH client does not provide control character stripping. As such a program with "secure" in the name, expectation is that there exists an appropriate development process for security and hence the program is more likely to do it right than all the various terms out there.

Conclusio: terminal escape sequence processing is way too complex, to accept it on important systems, so just do not do it. You would not read mail or open a text document on your administration machine also.


LG Roman

PS: To find out, which terminal is less dumb than others, I used the following bziped program to see if terminal crashes, writes data to stdin or otherwise misbehaves to get an estimation of the probability of software failure.

QlpoOTFBWSZTWckOfMMAAEffgFQQae/wmr////4////0MAFbTQhqSaGjRk0DEDIAMRoyGRpk0BoB
6g1T1Tymamg0DRkNADIaBkAAA0ABJIKep6hpiFP1NpGpo9JoAxBo9TQDyTZT01PUVREfq9tosGe5
mTHx8EIXYPwLbeEk4QTnmRsQ/M9KcEjg4QIkMblRAgd0HBcEwSggUTBiDBLa1jVpewypU2WEKGTQ
KSviMlg0h6tjMXFICMCGjMlbfwZ5ynd5QID98S3xjlcYgTdou4WZsbirIXAv4XjxhrOHlpyKEy5j
WGWs+hvTcINTjuvZtexP7t8HCGLkW2GMcZgQE101MADuR1GvVLs956jtwpLcbK6tkuxu2SPosUkG
1aaaNdKKeBVTTTYrw/HiS86K6tzFakd7O3gMrIre8dB+YAy/1RSuKgCqc8uXcUMMxpUcBZHxEMHh
ZBdfa7PiRqSmjlYM/7mLSxj3lUmZvzO21Ec9eUrZ4yThkxH/ObMRInOPPFUqxK6kiBf4u5IpwoSG
SHPmGA==

what version of ping are you using? I was unable to replicate this with
either the debian iputils-ping package version 3:20161105-1, or with
debian inetutils-ping package version 2:1.9.4-2+b1. neither of them seem to
do a getnameinfo() at all if it is initially supplied with an IP
address.

That said, with the same last line of /etc/hosts, getent is willing
to pass along the garbage chars:

0 ***@host:~$ getent hosts 127.0.0.3
127.0.0.3 ; ZZZ
^[G0
0 ***@host:~$ 0
bash: 0: command not found
127 ***@host:~$

--dkg

Thanks a lot, this makes a lot more sense. The confusing part was that the
patch sent by Jason in his mail had nothing to do with this issue.
I agree - rxvt-unicode shouldn't reply with a LF when in secure mode (this
is a policy). The sequence in question is also not used (or even usable,
as it queries the original rxvt graphics mode which is not implemented in
urxvt), so the next version will have it disabled, at least in secure mode
(the default).
I agree, it is a reasonable defense in depth mechanism where the benefit
clearly outweighs the disadvantages.
urxvt always replies with "\033G0\012" to indicate "graphics mode not
supported". It's quite possible the the original rxvt replies with other
sequences.
Again, I fully agree - I just couldn't make the connection between the
patch sent and these "riskiest escape sequences".