1
0
mirror of https://git.tartarus.org/simon/putty.git synced 2025-01-10 09:58:01 +00:00

Disable window title reporting by default, since it's a security

hazard. I considered removing it completely, but I can't rule out
the possibility of an OS that actually takes security of its
terminal devices seriously, and which might be able to make sensible
and safe use of this feature.

[originally from svn r3103]
This commit is contained in:
Simon Tatham 2003-04-12 08:59:06 +00:00
parent bc4e41154a
commit 4b6ffd99f1
6 changed files with 32 additions and 3 deletions

View File

@ -1014,6 +1014,9 @@ void setup_config_box(struct controlbox *b, struct sesslist *sesslist,
HELPCTX(features_retitle), HELPCTX(features_retitle),
dlg_stdcheckbox_handler, dlg_stdcheckbox_handler,
I(offsetof(Config,no_remote_wintitle))); I(offsetof(Config,no_remote_wintitle)));
ctrl_checkbox(s, "Disable remote window title querying (SECURITY)",
'q', HELPCTX(features_qtitle), dlg_stdcheckbox_handler,
I(offsetof(Config,no_remote_qtitle)));
ctrl_checkbox(s, "Disable destructive backspace on server sending ^?",'b', ctrl_checkbox(s, "Disable destructive backspace on server sending ^?",'b',
HELPCTX(features_dbackspace), HELPCTX(features_dbackspace),
dlg_stdcheckbox_handler, I(offsetof(Config,no_dbackspace))); dlg_stdcheckbox_handler, I(offsetof(Config,no_dbackspace)));

View File

@ -1,4 +1,4 @@
\versionid $Id: config.but,v 1.61 2003/04/11 17:39:48 simon Exp $ \versionid $Id: config.but,v 1.62 2003/04/12 08:59:06 simon Exp $
\C{config} Configuring PuTTY \C{config} Configuring PuTTY
@ -776,6 +776,26 @@ commands from the server. If you find PuTTY is doing this
unexpectedly or inconveniently, you can tell PuTTY not to respond to unexpectedly or inconveniently, you can tell PuTTY not to respond to
those server commands. those server commands.
\S{config-features-qtitle} Disabling remote window title querying
\cfg{winhelp-topic}{features.qtitle}
PuTTY can optionally provide the xterm service of allowing server
applications to find out the local window title. This feature is
disabled by default, but you can turn it on if you really want it.
NOTE that this feature is a \e{potential security hazard}. If a
malicious application can write data to your terminal (for example,
if you merely \c{cat} a file owned by someone else on the server
machine), it can change your window title (unless you have disabled
this as mentioned in \k{config-features-retitle}) and then use this
service to have the new window title sent back to the server as if
typed at the keyboard. This allows an attacker to fake keypresses
and potentially cause your server-side applications to do things you
didn't want. Therefore this feature is disabled by default, and we
recommend you do not turn it on unless you \e{really} know what you
are doing.
\S{config-features-dbackspace} Disabling destructive backspace \S{config-features-dbackspace} Disabling destructive backspace
\cfg{winhelp-topic}{features.dbackspace} \cfg{winhelp-topic}{features.dbackspace}

View File

@ -378,6 +378,7 @@ struct config_tag {
int no_remote_wintitle; /* disable remote retitling */ int no_remote_wintitle; /* disable remote retitling */
int no_dbackspace; /* disable destructive backspace */ int no_dbackspace; /* disable destructive backspace */
int no_remote_charset; /* disable remote charset config */ int no_remote_charset; /* disable remote charset config */
int no_remote_qtitle; /* disable remote win title query */
int app_cursor; int app_cursor;
int app_keypad; int app_keypad;
int nethack_keypad; int nethack_keypad;

View File

@ -240,6 +240,7 @@ void save_open_settings(void *sesskey, int do_host, Config *cfg)
write_setting_i(sesskey, "NoRemoteResize", cfg->no_remote_resize); write_setting_i(sesskey, "NoRemoteResize", cfg->no_remote_resize);
write_setting_i(sesskey, "NoAltScreen", cfg->no_alt_screen); write_setting_i(sesskey, "NoAltScreen", cfg->no_alt_screen);
write_setting_i(sesskey, "NoRemoteWinTitle", cfg->no_remote_wintitle); write_setting_i(sesskey, "NoRemoteWinTitle", cfg->no_remote_wintitle);
write_setting_i(sesskey, "NoRemoteQTitle", cfg->no_remote_qtitle);
write_setting_i(sesskey, "NoDBackspace", cfg->no_dbackspace); write_setting_i(sesskey, "NoDBackspace", cfg->no_dbackspace);
write_setting_i(sesskey, "NoRemoteCharset", cfg->no_remote_charset); write_setting_i(sesskey, "NoRemoteCharset", cfg->no_remote_charset);
write_setting_i(sesskey, "ApplicationCursorKeys", cfg->app_cursor); write_setting_i(sesskey, "ApplicationCursorKeys", cfg->app_cursor);
@ -472,6 +473,7 @@ void load_open_settings(void *sesskey, int do_host, Config *cfg)
gppi(sesskey, "NoRemoteResize", 0, &cfg->no_remote_resize); gppi(sesskey, "NoRemoteResize", 0, &cfg->no_remote_resize);
gppi(sesskey, "NoAltScreen", 0, &cfg->no_alt_screen); gppi(sesskey, "NoAltScreen", 0, &cfg->no_alt_screen);
gppi(sesskey, "NoRemoteWinTitle", 0, &cfg->no_remote_wintitle); gppi(sesskey, "NoRemoteWinTitle", 0, &cfg->no_remote_wintitle);
gppi(sesskey, "NoRemoteQTitle", 1, &cfg->no_remote_qtitle);
gppi(sesskey, "NoDBackspace", 0, &cfg->no_dbackspace); gppi(sesskey, "NoDBackspace", 0, &cfg->no_dbackspace);
gppi(sesskey, "NoRemoteCharset", 0, &cfg->no_remote_charset); gppi(sesskey, "NoRemoteCharset", 0, &cfg->no_remote_charset);
gppi(sesskey, "ApplicationCursorKeys", 0, &cfg->app_cursor); gppi(sesskey, "ApplicationCursorKeys", 0, &cfg->app_cursor);

View File

@ -2604,7 +2604,8 @@ void term_out(Terminal *term)
*/ */
break; break;
case 20: case 20:
if (term->ldisc) { if (term->ldisc &&
!term->cfg.no_remote_qtitle) {
p = get_window_title(term->frontend, TRUE); p = get_window_title(term->frontend, TRUE);
len = strlen(p); len = strlen(p);
ldisc_send(term->ldisc, "\033]L", 3, 0); ldisc_send(term->ldisc, "\033]L", 3, 0);
@ -2613,7 +2614,8 @@ void term_out(Terminal *term)
} }
break; break;
case 21: case 21:
if (term->ldisc) { if (term->ldisc &&
!term->cfg.no_remote_qtitle) {
p = get_window_title(term->frontend,FALSE); p = get_window_title(term->frontend,FALSE);
len = strlen(p); len = strlen(p);
ldisc_send(term->ldisc, "\033]l", 3, 0); ldisc_send(term->ldisc, "\033]l", 3, 0);

View File

@ -26,6 +26,7 @@
#define WINHELP_CTX_features_resize "features.resize" #define WINHELP_CTX_features_resize "features.resize"
#define WINHELP_CTX_features_altscreen "features.altscreen" #define WINHELP_CTX_features_altscreen "features.altscreen"
#define WINHELP_CTX_features_retitle "features.retitle" #define WINHELP_CTX_features_retitle "features.retitle"
#define WINHELP_CTX_features_qtitle "features.qtitle"
#define WINHELP_CTX_features_dbackspace "features.dbackspace" #define WINHELP_CTX_features_dbackspace "features.dbackspace"
#define WINHELP_CTX_features_charset "features.charset" #define WINHELP_CTX_features_charset "features.charset"
#define WINHELP_CTX_terminal_autowrap "terminal.autowrap" #define WINHELP_CTX_terminal_autowrap "terminal.autowrap"