summary: Terminal window 'trust sigils' never turned off in SSH-1 or Rlogin
class: bug: This is clearly an actual problem we want fixed.
difficulty: fun: Just needs tuits, and not many of them.
priority: high: This should be fixed in the next release.
present-in: 0.71
fixed-in: 128d001c3eebae15fe97fc18dc48d8939ae72e98 (0.72)

In 0.71, the fix for vuln-auth-prompt-spoofing added 'trust sigils' -- PuTTY icons at the start of locally generated lines -- to distinguish them from data sent by the server.

In both the SSH-1 and Rlogin protocols, these trust sigils were accidentally not turned off at the end of authentication, so that all data throughout the session was tagged with a trust sigil.

As well as removing the useful distinction between trusted and untrusted output, this also meant that 3 columns of the terminal were unusable, which would have caused formatting issues in many applications.

(The commonly used SSH-2 protocol is not affected, only the obsolete SSH-1 protocol that is rarely used. In PuTTY 0.68 and later, we no longer support automatic fallback to SSH-1 from SSH-2, so any saved session configured to the default of SSH-2 will not suffer from this issue.)

