[Info-vax] UCX finger client does not sanitize .plan before displaying it
Simon Clubley
clubley at remove_me.eisner.decus.org-Earth.UFP
Mon Mar 30 11:52:41 EDT 2015
This is on Alpha 8.4, UCX 5.7 as shipped on the hobbyist CD.
Unlike the finger clients I have been working with over the last couple
of days, I've just discovered the UCX finger client does not sanitize
the contents of the user's .plan file before displaying it.
This means any escape sequences in the .plan file are displayed on the
user's terminal as-is and hence actioned by the user's terminal.
For comparison, the finger client in the oldest Linux distribution I have
to hand (RH9; over a decade old) modifies the displayed output so any
embedded escape sequences are disabled as do all the more recent Linux
finger clients I have tried.
Multinet, as running on Eisner, also disables the escape sequences before
displaying them.
Here's a little command procedure to create a .plan file to demonstrate
the problem; run it from sys$login:.
$ esc[0,7] = 27
$ open/write plan_ch .plan
$ write plan_ch esc + "[7mHello World" + esc + "[0m"
$ close plan_ch
Note this will overwrite any existing .plan file you have so make a
backup of it first. You will also probably need to set world read
on the generated .plan file as well for it to be displayed outside
of your account or to be accessible by the fingerd server.
When you "finger {username}", you will see Hello World written in
reverse video when using the UCX finger client.
Simon.
--
Simon Clubley, clubley at remove_me.eisner.decus.org-Earth.UFP
Microsoft: Bringing you 1980s technology to a 21st century world
More information about the Info-vax
mailing list