1. 45

  2. 18

    A little pedantic, but also important to understand: This isn’t because of “cat’s default behavior of rendering carriage return characters”. It’s because of cat’s default behavior of not rendering anything. It’s a low-level tool that just copies bytes (unless you tell it you do want to “render” control characters with -A). It’s the terminal emulator that’s rendering the carriage returns.

    That said, good point about a sneaky way to hide things. Next try putting stuff way over on the right side of the line for people who don’t have line wrap turned on in their editor.

    1. 4

      Once upon a time I saw a related article about the nasty habits of doing curl sh, which btw is proposed by lots of project pages, these days.

      The idea was to detect (server side) the latencies introduced by the script interpretation (client side), and determine if the evil payload should be included or not. If you curl > x.sh to inspect x.sh you don’t see it, if you curl | sh you get it.

      1. 3

        Use a $PAGER. :) But good catch

        1. 3

          On a related note to this, one of my favorite CTF challengesfrom InsomniHack(?) was just to curl a link that would be a PITA to type out. However, the page had an onCopy handler that intercepted and put a bunch of nasty shell commands in there instead.

          1. 3

            The article suggests using less to view the file instead, which is a good idea—but make sure you don’t use less -r, which has the same problem! The -r or --raw-control-chars flag will output the raw carriage return just like cat does. It is safe to use less if you leave it at its default behavior, or if you use the -R, --RAW-CONTROL-CHARS flag, which only allows ANSI color escape sequences to pass through.

            (I would be surprised if many people are using less -r by default, since the formatting can get screwed up in all kinds of ways, but I figured I should point this out for completeness.)

            1. 2

              From now on, let’s use something safer, such as less, when we review scripts.

              Might want to disable lesspipe too :)

              1. 0

                I am surprised people use cat to “review scripts”.