Now those gpg.fail people made me find similar vulns elsewhere (console control character injection).
-
Now those gpg.fail people made me find similar vulns elsewhere (console control character injection). By "elsewhere" I mean... my own code.
Opinions wanted: should "input can inject console output with ansi and control chars" always be considered a vuln/CVE?
(I'll fix it in any case, I'm just wondering if I should do all the "security release/advisory/request CVE/..." stuff.) -
Now those gpg.fail people made me find similar vulns elsewhere (console control character injection). By "elsewhere" I mean... my own code.
Opinions wanted: should "input can inject console output with ansi and control chars" always be considered a vuln/CVE?
(I'll fix it in any case, I'm just wondering if I should do all the "security release/advisory/request CVE/..." stuff.)@hanno I would consider outputting unsanitized control characters a bug in general. It's okay if you warn the user beforehand but just decoding untrusted data into a ANSI terminal feels wrong.
