Document that the code is unsafe for future extension #7
Comments
|
Agreed. PR welcome! |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
{{ message }}
README says "ANSI sequences need to be added." If this is done, and if it includes cursor movement sequences, it is likely to result in security vulnerabilities. Merging of vncterm-derived code with that derived from minicom's vt100.c in prl-vzvncserver did result in critical vulnerabilities, which have since been fixed in that codebase, while vncterm itself is still as naive as it was before. For example,
vcCheckCoordinates()fails to check for and disallow negative coordinates, which may be OK in current vncterm (where cursor only moves right when a character is printed, and the terminal is only scrolled one line when a line is full?), but wouldn't be sufficient with arbitrary cursor movement/scrolling. Also, the terminal sizes are just assumed to be sane (small positive integers, which wouldn't overflow any calculations), which is OK when the main program sets them to sane constants, but would be unsafe if they're made runtime configurable. Perhaps all of this should be documented.The text was updated successfully, but these errors were encountered: