[Info-vax] UCX finger client does not sanitize .plan before displaying it

[Ian Miller]

On Monday, March 30, 2015 at 4:53:35 PM UTC+1, Simon Clubley wrote:
> This is on Alpha 8.4, UCX 5.7 as shipped on the hobbyist CD.
> 
> Unlike the finger clients I have been working with over the last couple
> of days, I've just discovered the UCX finger client does not sanitize
> the contents of the user's .plan file before displaying it.
> 
> This means any escape sequences in the .plan file are displayed on the
> user's terminal as-is and hence actioned by the user's terminal.
> 
> For comparison, the finger client in the oldest Linux distribution I have
> to hand (RH9; over a decade old) modifies the displayed output so any
> embedded escape sequences are disabled as do all the more recent Linux
> finger clients I have tried.
> 
> Multinet, as running on Eisner, also disables the escape sequences before
> displaying them.
> 
> Here's a little command procedure to create a .plan file to demonstrate
> the problem; run it from sys$login:.
> 
> $ esc[0,7] = 27
> $ open/write plan_ch .plan
> $ write plan_ch esc + "[7mHello World" + esc + "[0m"
> $ close plan_ch
> 
> Note this will overwrite any existing .plan file you have so make a
> backup of it first. You will also probably need to set world read
> on the generated .plan file as well for it to be displayed outside
> of your account or to be accessible by the fingerd server.
> 
> When you "finger {username}", you will see Hello World written in
> reverse video when using the UCX finger client.
> 
> Simon.
> 
> -- 
> Simon Clubley, clubley at remove_me.eisner.decus.org-Earth.UFP
> Microsoft: Bringing you 1980s technology to a 21st century world

I vaguely remember this being discovered in a older version. I thought they would have fixed it by now but I don't enable that service on any system I manage so it has not been an issue to me.