PuTTY wish osc

Home | FAQ | Feedback | Licence | Updates | Mirrors | Keys | Links | Team
Download: Stable · Snapshot | Docs | Changes | Wishlist

summary: Escape sequence to execute command on the client side
class: wish: This is a request for an enhancement.
difficulty: fun: Just needs tuits, and not many of them.
priority: never: We don't ever intend to fix this.

People occasionally ask for an escape sequence which will execute an arbitrary local command, à la ECMA-48 OSC (Operating system command).

This feature is horrendously insecure, and PuTTY will not be implementing it unless someone comes up with some plausible way of dealing with the security issues outlined below.

If your terminal is willing to receive an escape sequence which directs it to run a local program, and will uncomplainingly do it, then for a start you've just put your client machine completely at the mercy of your server - so I do hope you never make a connection to a machine whose sysadmin is less than a close and trusted friend of yours! What would stop the server sending a remote-command escape such as del *.*, or (perhaps even worse) one which read sensitive files on your disk and sent them out to somewhere the malicious server admin could recover them? And even if your server admin is trustworthy, his machine could be cracked, and then your client box is at the mercy of the cracker.

Furthermore, applications such as Unix `write' often don't filter escape sequences out of their output, so if you ever have messages enabled then you've handed control of your local machine to any user of the same server who might want it.

In general, your terminal stream should be considered untrusted for these purposes. Users don't normally feel nervous about running `cat' on unknown files just to see what's in them; they tend to feel that the worst that can happen as a result is that they screw up their terminal state and have to reset it - and many users don't even expect that, and come and complain to us when it happens (see the FAQ). If your terminal is willing to run arbitrary local commands when told to by an escape sequence, then you have to adopt a whole new level of paranoia, where (for example) any file not trusted by you is viewed using `cat -v' rather than `cat', and only when you're certain that it's clean of malicious escape sequences do you progress to `cat'.

An alternative remote-execution solution with authentication is DoIt.


If you want to comment on this web site, see the Feedback page.
Audit trail for this wish.
(last revision of this bug record was at 2005-03-11 18:36:53 +0000)