https://gitlab.synchro.net/main/sbbs/-/commit/9ad6ac0765a4f972aa08b93c
Modified Files:
src/syncterm/syncterm.c
Log Message:
Use XDG_DOWNLOAD_DIR on *nix

Default to $HOME/Downloads

The default download directory on all *nix builds (except macOS)
was previously $HOME. This meant that ZModem auto-downloads can
place files directly in your home directory, potentially without
you noticing if it's fast enough.

While it would request confirmation if it's overwriting, if it's
a file that doesn't exist, it would be dropped right there. This
is potentially VERY BAD, it could create a .bash_profile if you're
using .profile for example, a .xsessionrc, etc. files that are
automatically executed and assumed trusted, but often don't exist
already on most systems.

While this technically isn't *quite* as bad as memory errors where
the remote will potentially have full access to your system, it's
much more trivial to turn into a real exploit.

Reported by JQuast on IRC.
Thanks again for reaching out and reporting these security issues
with SyncTERM.

I'd like to take this time to clarify that you SHOULD NOT use
SyncTERM to access a POSIX shell, there's a LOT of sequences that
"standard" terminal emulators have specifically stopped supporting
because they pose clear security risks. SyncTERM gleefully supports
these sequences. If you us this for a shell and ssh to untrusted
systems, copy/paste commands in or out of the terminal, or even
run things like curl and support redirects, there are strange gotchas
waiting for you.
--- SBBSecho 3.37-Linux
* Origin: Vertrauen - [vert/cvs/bbs].synchro.net (1:103/705)