sideband: introduce an "escape hatch" to allow control characters

The preceding commit fixed the vulnerability whereas sideband messages
(that are under the control of the remote server) could contain ANSI
escape sequences that would be sent to the terminal verbatim.

However, this fix may not be desirable under all circumstances, e.g.
when remote servers deliberately add coloring to their messages to
increase their urgency.

To help with those use cases, give users a way to opt-out of the
protections: `sideband.allowControlCharacters`.

Suggested-by: brian m. carlson <sandals@crustytoothpaste.net>
Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de>
Signed-off-by: Junio C Hamano <gitster@pobox.com>

diff --git a/Documentation/config.txt b/Documentation/config.txt
index 8c0b3ed807521490429dec119124cf236332968e..48870bb588eb95c76d59c46fe6a1fdea65132edb 100644 (file)
--- a/Documentation/config.txt
+++ b/Documentation/config.txt
@@ -522,6 +522,8 @@ include::config/sequencer.txt[]
 
 include::config/showbranch.txt[]
 
+include::config/sideband.txt[]
+
 include::config/sparse.txt[]
 
 include::config/splitindex.txt[]

diff --git a/Documentation/config/sideband.txt b/Documentation/config/sideband.txt
new file mode 100644 (file)
index 0000000..3fb5045
--- /dev/null
+++ b/Documentation/config/sideband.txt
@@ -0,0 +1,5 @@
+sideband.allowControlCharacters::
+       By default, control characters that are delivered via the sideband
+       are masked, to prevent potentially unwanted ANSI escape sequences
+       from being sent to the terminal. Use this config setting to override
+       this behavior.

diff --git a/sideband.c b/sideband.c
index fc1805dcf87d24dccf43153a0aef34279a328c27..997430f2ea123b4d150db0f5e8672cf4a71a4617 100644 (file)
--- a/sideband.c
+++ b/sideband.c
@@ -25,6 +25,8 @@ static struct keyword_entry keywords[] = {
        { "error",      GIT_COLOR_BOLD_RED },
 };
 
+static int allow_control_characters;
+
 /* Returns a color setting (GIT_COLOR_NEVER, etc). */
 static int use_sideband_colors(void)
 {
@@ -38,6 +40,9 @@ static int use_sideband_colors(void)
        if (use_sideband_colors_cached >= 0)
                return use_sideband_colors_cached;
 
+       git_config_get_bool("sideband.allowcontrolcharacters",
+                           &allow_control_characters);
+
        if (!git_config_get_string_tmp(key, &value))
                use_sideband_colors_cached = git_config_colorbool(key, value);
        else if (!git_config_get_string_tmp("color.ui", &value))
@@ -67,6 +72,11 @@ void list_config_color_sideband_slots(struct string_list *list, const char *pref
 
 static void strbuf_add_sanitized(struct strbuf *dest, const char *src, int n)
 {
+       if (allow_control_characters) {
+               strbuf_add(dest, src, n);
+               return;
+       }
+
        strbuf_grow(dest, n);
        for (; n && *src; src++, n--) {
                if (!iscntrl(*src) || *src == '\t' || *src == '\n')

diff --git a/t/t5409-colorize-remote-messages.sh b/t/t5409-colorize-remote-messages.sh
index f4712f4161c0b536fd6255c7cd7ba86678d8a524..e8067df591131033f340e37e62f491865a15d87b 100755 (executable)
--- a/t/t5409-colorize-remote-messages.sh
+++ b/t/t5409-colorize-remote-messages.sh
@@ -106,9 +106,15 @@ test_expect_success 'disallow (color) control sequences in sideband' '
        EOF
        test_config_global uploadPack.packObjectsHook ./color-me-surprised &&
        test_commit need-at-least-one-commit &&
+
        git clone --no-local . throw-away 2>stderr &&
        test_decode_color <stderr >decoded &&
-       test_grep ! RED decoded
+       test_grep ! RED decoded &&
+
+       rm -rf throw-away &&
+       git -c sideband.allowControlCharacters clone --no-local . throw-away 2>stderr &&
+       test_decode_color <stderr >decoded &&
+       test_grep RED decoded
 '
 
 test_done