4.6.6 Response to remote window title querying

PuTTY can optionally provide the xterm service of allowing server applications to find out the local window title. This feature is disabled by default, but you can turn it on if you really want it.

NOTE that this feature is a potential security hazard. If a malicious application can write data to your terminal (for example, if you merely cat a file owned by someone else on the server machine), it can change your window title (unless you have disabled this as mentioned in section 4.6.5) and then use this service to have the new window title sent back to the server as if typed at the keyboard. This allows an attacker to fake keypresses and potentially cause your server-side applications to do things you didn't want. Therefore this feature is disabled by default, and we recommend you do not set it to ‘Window title’ unless you really know what you are doing.

There are three settings for this option:

‘None’

PuTTY makes no response whatsoever to the relevant escape sequence. This may upset server-side software that is expecting some sort of response.

‘Empty string’

PuTTY makes a well-formed response, but leaves it blank. Thus, server-side software that expects a response is kept happy, but an attacker cannot influence the response string. This is probably the setting you want if you have no better ideas.

‘Window title’

PuTTY responds with the actual window title. This is dangerous for the reasons described above.