Fix two possible attack vectors, where an attacker can store

information into the termianl and then get to replay it. Two of those instances are setting the terminal title, and icon title, and then requesting the values back (see CVE-2003-0063[2] and https://marc.info/?l=bugtraq&m=104612710031920&w=2 for details). And another case is sending an invalid DECRQSS sequence, which the handler would respond back with the results, see here for how this is used: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=510030 CVE-2008-2383[3] These bugs were found and disclosed by David Leadbeater <dgl@dgl.cx> (@dgl at Github.com)
migueldeicaza · Dec 2, 2022 · a94e6b2 · a94e6b2
1 parent 9f5081f
commit a94e6b2
Showing 1 changed file with 9 additions and 5 deletions.
diff --git a/Sources/SwiftTerm/Terminal.swift b/Sources/SwiftTerm/Terminal.swift
@@ -705,7 +705,9 @@ open class Terminal {
                 ok = 0 // this means the request is not valid, report that to the host.
                 // invalid: DCS 0 $ r Pt ST (xterm)
                 terminal.log ("Unknown DCS + \(newData!)")
-                result = newData ?? ""
+                // Do not report 'newData', because it can be exploited
+                // see https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=510030
+                result = ""
 
             }
             terminal.sendResponse (terminal.cc.DCS, "\(ok)$r\(result)", terminal.cc.ST)
@@ -2638,11 +2640,13 @@ open class Terminal {
                 sendResponse(cc.CSI, "9;\(rows);\(cols)t")
             }
         case [20]:
-            let it = iconTitle.replacingOccurrences(of: "\\", with: "")
-            sendResponse (cc.OSC, "L\(it)", cc.ST)
+            // Do not report the actual title back, as it can be exploited,
+            // https://marc.info/?l=bugtraq&m=104612710031920&w=2
+            sendResponse (cc.OSC, "L", cc.ST)
         case [21]:
-            let tt = terminalTitle.replacingOccurrences(of: "\\", with: "")
-            sendResponse (cc.OSC, "l\(tt)", cc.ST)
+            // Do not report the actual content of the title back, as it can be exploited,
+            // https://marc.info/?l=bugtraq&m=104612710031920&w=2
+            sendResponse (cc.OSC, "l", cc.ST)
         case [22, 0]:
             terminalTitleStack = terminalTitleStack + [terminalTitle]
             terminalIconStack = terminalIconStack + [iconTitle]