mirror of
https://git.tartarus.org/simon/putty.git
synced 2025-07-01 03:22:48 -05:00
Patch inspired by one from Daniel Silverstone in Debian bug #229232:
We now have an option where a remote window title query returns a well-formed response containing the empty string. This should keep stop any server-side application that was expecting a response from hanging, while not permitting the response to be influenced by an attacker. We also retain the ability to stay schtum. The existing checkbox has thus grown into a set of radio buttons. I've changed the default to the "empty string" response, even in the backward- compatibility mode of loading old settings, which is a change in behaviour; any users who want the old behaviour back will have to explicitly select it. I think this is probably the Right Thing. (The only drawback I can think of is that an attacker could still potentially use the relevant fixed strings for mischief, but we already have other, similar reports.) [originally from svn r7043]
This commit is contained in:
Jacob Nevins
@ -882,7 +882,7 @@ commands from the server. If you find PuTTY is doing this
|
||||
unexpectedly or inconveniently, you can tell PuTTY not to respond to
|
||||
those server commands.
|
||||
|
||||
\S{config-features-qtitle} Disabling remote \i{window title} querying
|
||||
\S{config-features-qtitle} Response to remote \i{window title} querying
|
||||
|
||||
\cfg{winhelp-topic}{features.qtitle}
|
||||
|
||||
@ -899,8 +899,28 @@ service to have the new window title sent back to the server as if
|
||||
typed at the keyboard. This allows an attacker to fake keypresses
|
||||
and potentially cause your server-side applications to do things you
|
||||
didn't want. Therefore this feature is disabled by default, and we
|
||||
recommend you do not turn it on unless you \e{really} know what you
|
||||
are doing.
|
||||
recommend you do not set it to \q{Window title} unless you \e{really}
|
||||
know what you are doing.
|
||||
|
||||
There are three settings for this option:
|
||||
|
||||
\dt \q{None}
|
||||
|
||||
\dd PuTTY makes no response whatsoever to the relevant escape
|
||||
sequence. This may upset server-side software that is expecting some
|
||||
sort of response.
|
||||
|
||||
\dt \q{Empty string}
|
||||
|
||||
\dd PuTTY makes a well-formed response, but leaves it blank. Thus,
|
||||
server-side software that expects a response is kept happy, but an
|
||||
attacker cannot influence the response string. This is probably the
|
||||
setting you want if you have no better ideas.
|
||||
|
||||
\dt \q{Window title}
|
||||
|
||||
\dd PuTTY responds with the actual window title. This is dangerous for
|
||||
the reasons described above.
|
||||
|
||||
\S{config-features-dbackspace} Disabling \i{destructive backspace}
|
||||
|
||||
|
||||
Reference in New Issue
Block a user