From: Daniel Stenberg <daniel@haxx.se>
Date: Mon, 6 Nov 2023 07:39:29 +0000 (+0100)
Subject: VULN-DISCLOSURE-POLICY: escape sequences are not a security flaw
X-Git-Tag: curl-8_5_0~133
X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=2b16b86bb6a70c88b727a8299cfe0a2fc6c3dba5;p=thirdparty%2Fcurl.git

VULN-DISCLOSURE-POLICY: escape sequences are not a security flaw

Closes #12278
---

diff --git a/docs/VULN-DISCLOSURE-POLICY.md b/docs/VULN-DISCLOSURE-POLICY.md
index 3ce2203291..631e6a6151 100644
--- a/docs/VULN-DISCLOSURE-POLICY.md
+++ b/docs/VULN-DISCLOSURE-POLICY.md
@@ -283,3 +283,12 @@ and if an attacker can trick the user to run a specifically crafted curl
 command line, all bets are off. Such an attacker can just as well have the
 user run a much worse command that can do something fatal (like
 `sudo rm -rf /`).
+
+## Terminal output and escape sequences
+
+Content that is transferred from a server and gets displayed in a terminal by
+curl may contain escape sequences or use other tricks to fool the user. This
+is curl working as designed and is not a curl security problem. Escape
+sequences, moving cursor, changing color etc, is also frequently used for
+good. To reduce the risk of getting fooled, save files and browse them after
+download using a display method that minimizes risks.