simon-svn: putty: jacob

tartarus-commits at tartarus-commits at
Sun Dec 31 15:33:33 GMT 2006

SVN root:       svn://
Changes by:     jacob
Revision:       7043
Date:           2006-12-31 15:33:33 +0000 (Sun, 31 Dec 2006)

Log message (16 lines):
Patch inspired by one from Daniel Silverstone in Debian bug #229232:

We now have an option where a remote window title query returns a well-formed
response containing the empty string. This should keep stop any server-side
application that was expecting a response from hanging, while not permitting
the response to be influenced by an attacker.

We also retain the ability to stay schtum. The existing checkbox has thus
grown into a set of radio buttons.

I've changed the default to the "empty string" response, even in the backward-
compatibility mode of loading old settings, which is a change in behaviour;
any users who want the old behaviour back will have to explicitly select it. I
think this is probably the Right Thing. (The only drawback I can think of is
that an attacker could still potentially use the relevant fixed strings for
mischief, but we already have other, similar reports.)

Modified files:
U   putty/config.c
U   putty/doc/config.but
U   putty/putty.h
U   putty/settings.c
U   putty/terminal.c


More information about the tartarus-commits mailing list