Bug#995479: vte2.91: consider disabling/removing OSC7

Fri Oct 1 20:40:30 BST 2021

Source: vte2.91
Version: 0.64.2-3
Severity: wishlist
Tags: security

Hey there.

AFAIU, VTE implements OSC7, which is a pseudo-standardised terminal escape
secquence about the current working directory.

I think the main (only?) benefit right now is, that new terminal windows/tabs
can be opened in the same CWD (which is truely a nice thing).

But Debian, at least gnome-terminal seems to handle that anyway differently,
or at least there is:
  Provide-fallback-for-reading-current-directory-if-OS.patch
which seems to deduce the CWD in a more safe manner.

OSC7 also requres that the sequence is always printed, which has as least as
of now the issues described in #714175.

In general though, I think the whole feature (OSC7, not the way its done
in Provide-fallback-for-reading-current-directory-if-OS.patch) is a misfeature
as it might be a subtle security hole:

Allowing any process running in a terminal to indicate the current working
directory means, that this could also be done by rogue processes, e.g.
anything one executes remotely via SSH could print that sequence, and alter
the local terminal.

Right now this is only a subtle security issue (it woudld't modify the CWD
of the already running local shell, AFAIU).
But it could modify the CWD for the shell in any newly started tab/window.

Again, not the biggest hole in the world but still... imagine one is in a
/tmp/foobar/ ... SSH form there to a rogue location... now one suddenly wants
to clean up /tmp/foobar/ with a rm -rf... opens an new tab for that and does
it without properly checking the CWD.
But in the meantime, the rogue system printed OSC7 with a path of "/".

I've reported the thing here:
https://gitlab.freedesktop.org/terminal-wg/specifications/-/issues/20#note_956242
already, and there seems to be at least agreement, that it might be abused
depending on how the information of the CWD is used by the terminal.

I'd say, the above example is already enough in order to not want that feature
ever.

In that discussions were also some proposals of including the hostname in OSC7,
but IMO that wouldn't solve the security issues either.
A remote system might likely be able to determine or guess the hostname of the
connecting client.

So please consider to add a patch that removes or disables OSC7 support
altogehter.
The feature of retaining the CWD on new tabs/windows is better solved
with a patch that does it safely like the one Debian already ships.

Cheers,
Chris.

PS: If you agree, one should probably try to have the same for other terminals
with OSC7 support as well. Not sure how to do this beast,... perhaps asking
the Debian security guys for help?