luo980/curl
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

VULN-DISCLOSURE-POLICY: escape sequences are not a security flaw

Browse Source 
Closes #12278
This commit is contained in:
Daniel Stenberg 2023-11-06 08:39:29 +01:00
parent 7925ba431b
commit 2b16b86bb6
No known key found for this signature in database
GPG Key ID: 5CC908FDB71E12C2
1 changed files with 9 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

9
docs/VULN-DISCLOSURE-POLICY.md
View File

@ -283,3 +283,12 @@ and if an attacker can trick the user to run a specifically crafted curl
command line, all bets are off. Such an attacker can just as well have the command line, all bets are off. Such an attacker can just as well have the
user run a much worse command that can do something fatal (like user run a much worse command that can do something fatal (like
`sudo rm -rf /`). `sudo rm -rf /`).
## Terminal output and escape sequences
Content that is transferred from a server and gets displayed in a terminal by
curl may contain escape sequences or use other tricks to fool the user. This
is curl working as designed and is not a curl security problem. Escape
sequences, moving cursor, changing color etc, is also frequently used for
good. To reduce the risk of getting fooled, save files and browse them after
download using a display method that minimizes risks.