sideband: introduce an "escape hatch" to allow control characters

The preceding commit fixed the vulnerability whereas sideband messages
(that are under the control of the remote server) could contain ANSI
escape sequences that would be sent to the terminal verbatim.

However, this fix may not be desirable under all circumstances, e.g.
when remote servers deliberately add coloring to their messages to
increase their urgency.

To help with those use cases, give users a way to opt-out of the
protections: `sideband.allowControlCharacters`.

Suggested-by: brian m. carlson <sandals@crustytoothpaste.net>
Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de>
Signed-off-by: Junio C Hamano <gitster@pobox.com>

diff --git a/Documentation/config.adoc b/Documentation/config.adoc
index 62eebe7c54501c5bfc9c408f5fcddef13612d29f..dcea3c0c15e2a93d271adf4d1322763257bcc4f9 100644 (file)
--- a/Documentation/config.adoc
+++ b/Documentation/config.adoc
@@ -523,6 +523,8 @@ include::config/sequencer.adoc[]
 
 include::config/showbranch.adoc[]
 
+include::config/sideband.adoc[]
+
 include::config/sparse.adoc[]
 
 include::config/splitindex.adoc[]

diff --git a/Documentation/config/sideband.adoc b/Documentation/config/sideband.adoc
new file mode 100644 (file)
index 0000000..3fb5045
--- /dev/null
+++ b/Documentation/config/sideband.adoc
@@ -0,0 +1,5 @@
+sideband.allowControlCharacters::
+       By default, control characters that are delivered via the sideband
+       are masked, to prevent potentially unwanted ANSI escape sequences
+       from being sent to the terminal. Use this config setting to override
+       this behavior.

diff --git a/sideband.c b/sideband.c
index c1bbadccac682bc46d7c2382ed9aaacdba0f97d5..682f1cbbedb9b8f2c51188b7b5e243fa91a41fa7 100644 (file)
--- a/sideband.c
+++ b/sideband.c
@@ -26,6 +26,8 @@ static struct keyword_entry keywords[] = {
        { "error",      GIT_COLOR_BOLD_RED },
 };
 
+static int allow_control_characters;
+
 /* Returns a color setting (GIT_COLOR_NEVER, etc). */
 static enum git_colorbool use_sideband_colors(void)
 {
@@ -39,6 +41,9 @@ static enum git_colorbool use_sideband_colors(void)
        if (use_sideband_colors_cached != GIT_COLOR_UNKNOWN)
                return use_sideband_colors_cached;
 
+       repo_config_get_bool(the_repository, "sideband.allowcontrolcharacters",
+                           &allow_control_characters);
+
        if (!repo_config_get_string_tmp(the_repository, key, &value))
                use_sideband_colors_cached = git_config_colorbool(key, value);
        else if (!repo_config_get_string_tmp(the_repository, "color.ui", &value))
@@ -68,6 +73,11 @@ void list_config_color_sideband_slots(struct string_list *list, const char *pref
 
 static void strbuf_add_sanitized(struct strbuf *dest, const char *src, int n)
 {
+       if (allow_control_characters) {
+               strbuf_add(dest, src, n);
+               return;
+       }
+
        strbuf_grow(dest, n);
        for (; n && *src; src++, n--) {
                if (!iscntrl(*src) || *src == '\t' || *src == '\n') {

diff --git a/t/t5409-colorize-remote-messages.sh b/t/t5409-colorize-remote-messages.sh
index aa5b57057148e0d4a5d72d2b7f010cb9c9e1f0ce..9caee9a07f15564b01640e95985b236617bed26c 100755 (executable)
--- a/t/t5409-colorize-remote-messages.sh
+++ b/t/t5409-colorize-remote-messages.sh
@@ -105,9 +105,15 @@ test_expect_success 'disallow (color) control sequences in sideband' '
        EOF
        test_config_global uploadPack.packObjectsHook ./color-me-surprised &&
        test_commit need-at-least-one-commit &&
+
        git clone --no-local . throw-away 2>stderr &&
        test_decode_color <stderr >decoded &&
-       test_grep ! RED decoded
+       test_grep ! RED decoded &&
+
+       rm -rf throw-away &&
+       git -c sideband.allowControlCharacters clone --no-local . throw-away 2>stderr &&
+       test_decode_color <stderr >decoded &&
+       test_grep RED decoded
 '
 
 test_done