WG15 Defect Report Ref: 9945-2-26
Topic: write

This is an approved interpretation of 9945-2:1993.


Last update: 1997-05-20


	Class: Defect situation

The standards states what it states, and conforming implementations
must conform to this. However, concerns have been raised about this
which are being referred to the Sponsors of the standard for consideration as
a future amendment.


	Topic:			write
	Relevant Sections:	5.37.2

Defect Report:
          In Section 5.37.2 - Description  {of  write},  the  standard 
          states that ``[t]yping [other] nonprintable characters shall 
          cause   implementation-defined   sequences   of    printable 
          characters to be  written  to  the  recipient's  terminal.'' 
          [Draft 12 of ISO/IEC 9945-2:1993 (July 1992), p. 694, lines 
          5988-5989] and  that  ``[t]yping  characters  from  LC_CTYPE 
          classifications print or space shall cause those  characters 
          to be sent to the recipient's terminal.''  [Ibid.,  p.  694, 
          lines 5982-5983] 
          If {POSIX2_LOCALEDEF} is defined,  a  malicious  user  could 
          create a locale in which every character is  printable.   In 
          this case, a control sequence causing a line to be  sent  to 
          the system and then executed can be sent to an  unsuspecting 
          user's terminal. 
          This  is  a   security   hole.    Could   lines   5996-5997: 
          ``[h]owever, a user's privilege may  further  constrain  the 
          domain of accessibility of other users' terminals''  [Ibid., 
          p.694, lines 5996-5997] be  used  to  close  this  hole,  by 
          disallowing mortals from writing to other  users'  terminals 
          if their LC_CTYPE is not a public locale? 

WG15 response for 9945-2:1993 

The standard allows the behavior described in the interpretation
request. Concern over this has been forwarded to the sponsors of the

Rationale for Interpretation: