X-Git-Url: https://git.distorted.org.uk/u/mdw/putty/blobdiff_plain/5446ac11e82889a9b910c196445226a3f4e5a5c4..362a72898c66890c63e64d0e1750fb19bbb5f472:/unix/pterm.1?ds=sidebyside

diff --git a/unix/pterm.1 b/unix/pterm.1
index eb9fc835..080da350 100644
--- a/unix/pterm.1
+++ b/unix/pterm.1
@@ -201,6 +201,22 @@ screen exactly the way they found it.
 This option should be set to either 0 or 1; the default is 0. When
 set to 1, it stops the server from remotely controlling the title of
 the \fIpterm\fP window.
+.IP "\fBpterm.NoRemoteQTitle\fP"
+This option should be set to either 0 or 1; the default is 1. When
+set to 1, it stops the server from remotely requesting the title of
+the \fIpterm\fP window.
+
+This feature is a \fBPOTENTIAL SECURITY HAZARD\fP. If a malicious
+application can write data to your terminal (for example, if you
+merely \fIcat\fP a file owned by someone else on the server
+machine), it can change your window title (unless you have disabled
+this using the \fBNoRemoteWinTitle\fP resource) and then use this
+service to have the new window title sent back to the server as if
+typed at the keyboard. This allows an attacker to fake keypresses
+and potentially cause your server-side applications to do things you
+didn't want. Therefore this feature is disabled by default, and we
+recommend you do not turn it on unless you \fBreally\fP know what
+you are doing.
 .IP "\fBpterm.NoDBackspace\fP"
 This option should be set to either 0 or 1; the default is 0. When
 set to 1, it disables the normal action of the Delete (^?) character