From: Johannes Schindelin <Johannes.Schindelin@gmx.de>
To: Patrick Steinhardt <ps@pks.im>
Cc: Johannes Schindelin via GitGitGadget <gitgitgadget@gmail.com>,
git@vger.kernel.org,
"brian m. carlson" <sandals@crustytoothpaste.net>,
Phillip Wood <phillip.wood123@gmail.com>,
Andreas Schwab <schwab@linux-m68k.org>,
Ondrej Pohorelsky <opohorel@redhat.com>
Subject: Re: [PATCH v2 4/4] sideband: add options to allow more control sequences to be passed through
Date: Fri, 16 Jan 2026 20:47:39 +0100 (CET) [thread overview]
Message-ID: <bb319446-a655-42b7-00b4-581fb9290843@gmx.de> (raw)
In-Reply-To: <aWD2x154F5f-c3pL@pks.im>
Hi Patrick,
On Fri, 9 Jan 2026, Patrick Steinhardt wrote:
> On Wed, Dec 17, 2025 at 02:23:42PM +0000, Johannes Schindelin via GitGitGadget wrote:
> > From: Johannes Schindelin <johannes.schindelin@gmx.de>
> >
> > Even though control sequences that erase characters are quite juicy for
> > attack scenarios, where attackers are eager to hide traces of suspicious
> > activities, during the review of the side band sanitizing patch series
> > concerns were raised that there might be some legimitate scenarios where
> > Git server's `pre-receive` hooks use those sequences in a benign way.
> >
> > Control sequences to move the cursor can likewise be used to hide tracks
> > by overwriting characters, and have been equally pointed out as having
> > legitimate users.
> >
> > Let's add options to let users opt into passing through those ANSI
> > Escape sequences: `sideband.allowControlCharacters` now supports also
> > `cursor` and `erase`, and it parses the value as a comma-separated list.
>
> Hm, okay. I don't really see much of a reason to allow these, but now
> that the code exists already I don't see a reason why we should remove
> those options again.
I agree that the feedback that elicited this patch did not specify any
concrete use case where this might be necessary. I basically implemented
this only to alleviate the reviewer feedback more than any real-world
issue.
>
> > diff --git a/sideband.c b/sideband.c
> > index fb43008ab7..725e24db0d 100644
> > --- a/sideband.c
> > +++ b/sideband.c
> > @@ -28,9 +28,43 @@ static struct keyword_entry keywords[] = {
> > static enum {
> > ALLOW_NO_CONTROL_CHARACTERS = 0,
> > ALLOW_ANSI_COLOR_SEQUENCES = 1<<0,
> > + ALLOW_ANSI_CURSOR_MOVEMENTS = 1<<1,
> > + ALLOW_ANSI_ERASE = 1<<2,
> > ALLOW_DEFAULT_ANSI_SEQUENCES = ALLOW_ANSI_COLOR_SEQUENCES,
> > - ALLOW_ALL_CONTROL_CHARACTERS = 1<<1,
> > -} allow_control_characters = ALLOW_ANSI_COLOR_SEQUENCES;
> > + ALLOW_ALL_CONTROL_CHARACTERS = 1<<3,
> > +} allow_control_characters = ALLOW_DEFAULT_ANSI_SEQUENCES;
>
> Nit, not worth addressing on its own: readability would be helped a bit
> if the assignments were all aligned.
>
> static enum {
> ALLOW_NO_CONTROL_CHARACTERS = 0,
> ALLOW_ANSI_COLOR_SEQUENCES = 1<<0,
> ALLOW_ANSI_CURSOR_MOVEMENTS = 1<<1,
> ALLOW_ANSI_ERASE = 1<<2,
> ALLOW_DEFAULT_ANSI_SEQUENCES = ALLOW_ANSI_COLOR_SEQUENCES,
> ALLOW_ALL_CONTROL_CHARACTERS = 1<<3,
> } allow_control_characters = ALLOW_DEFAULT_ANSI_SEQUENCES;
I like that suggestion. Will change it.
> > +static inline int skip_prefix_in_csv(const char *value, const char *prefix,
> > + const char **out)
> > +{
> > + if (!skip_prefix(value, prefix, &value) ||
> > + (*value && *value != ','))
> > + return 0;
> > + *out = value + !!*value;
> > + return 1;
> > +}
> > +
> > +static void parse_allow_control_characters(const char *value)
> > +{
> > + allow_control_characters = ALLOW_NO_CONTROL_CHARACTERS;
> > + while (*value) {
> > + if (skip_prefix_in_csv(value, "default", &value))
> > + allow_control_characters |= ALLOW_DEFAULT_ANSI_SEQUENCES;
> > + else if (skip_prefix_in_csv(value, "color", &value))
> > + allow_control_characters |= ALLOW_ANSI_COLOR_SEQUENCES;
> > + else if (skip_prefix_in_csv(value, "cursor", &value))
> > + allow_control_characters |= ALLOW_ANSI_CURSOR_MOVEMENTS;
> > + else if (skip_prefix_in_csv(value, "erase", &value))
> > + allow_control_characters |= ALLOW_ANSI_ERASE;
> > + else if (skip_prefix_in_csv(value, "true", &value))
> > + allow_control_characters = ALLOW_ALL_CONTROL_CHARACTERS;
> > + else if (skip_prefix_in_csv(value, "false", &value))
> > + allow_control_characters = ALLOW_NO_CONTROL_CHARACTERS;
>
> Does it really make sense to also handle "true" and "false" here? I
> would expect that those values can only be passed standalone.
I was thinking that 1) it keeps the implementation more consistent, and 2)
it would allow for an "oops, let's restart this" type of approach, saying
`color,erase,false,color`.
Might be over-engineered, but the alternative would have to take care of
special-casing `true` and `false` in the following warning (because they
_are_ recognized, they just wouldn't be recognized inside a
comma-separated list).
>
> > + else
> > + warning(_("unrecognized value for `sideband."
> > + "allowControlCharacters`: '%s'"), value);
> > + }
> > +}
>
> This could be simplified if we used e.g. `string_list_split()`. But on
> the other hand it avoids allocations, so that's a nice benefit.
The code also was a lot more verbose. I know, because that's what it
looked like before I changed it. :-)
Ciao,
Johannes
next prev parent reply other threads:[~2026-01-16 19:47 UTC|newest]
Thread overview: 85+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-01-14 18:19 [PATCH 0/3] Sanitize sideband channel messages Johannes Schindelin via GitGitGadget
2025-01-14 18:19 ` [PATCH 1/3] sideband: mask control characters Johannes Schindelin via GitGitGadget
2025-01-15 14:49 ` Phillip Wood
2025-12-02 15:43 ` Johannes Schindelin
2025-01-15 15:17 ` Andreas Schwab
2025-01-15 16:24 ` Junio C Hamano
2025-01-14 18:19 ` [PATCH 2/3] sideband: introduce an "escape hatch" to allow " Johannes Schindelin via GitGitGadget
2025-01-14 18:19 ` [PATCH 3/3] sideband: do allow ANSI color sequences by default Johannes Schindelin via GitGitGadget
2025-01-14 22:50 ` [PATCH 0/3] Sanitize sideband channel messages brian m. carlson
2025-01-16 6:45 ` Junio C Hamano
2025-01-28 16:03 ` Ondrej Pohorelsky
2025-01-31 17:55 ` Junio C Hamano
2025-12-02 14:11 ` Johannes Schindelin
2025-12-03 0:47 ` brian m. carlson
2025-12-03 8:04 ` Johannes Schindelin
2025-01-15 14:49 ` Phillip Wood
2025-12-02 14:56 ` Johannes Schindelin
2025-12-17 14:23 ` [PATCH v2 0/4] " Johannes Schindelin via GitGitGadget
2025-12-17 14:23 ` [PATCH v2 1/4] sideband: mask control characters Johannes Schindelin via GitGitGadget
2026-01-09 12:38 ` Patrick Steinhardt
2026-01-16 19:29 ` Johannes Schindelin
2025-12-17 14:23 ` [PATCH v2 2/4] sideband: introduce an "escape hatch" to allow " Johannes Schindelin via GitGitGadget
2025-12-18 2:22 ` Junio C Hamano
2025-12-18 17:59 ` Johannes Schindelin
2025-12-19 13:33 ` Junio C Hamano
2026-01-16 19:25 ` Johannes Schindelin
2026-01-09 12:38 ` Patrick Steinhardt
2025-12-17 14:23 ` [PATCH v2 3/4] sideband: do allow ANSI color sequences by default Johannes Schindelin via GitGitGadget
2026-01-09 12:38 ` Patrick Steinhardt
2026-01-16 19:38 ` Johannes Schindelin
2025-12-17 14:23 ` [PATCH v2 4/4] sideband: add options to allow more control sequences to be passed through Johannes Schindelin via GitGitGadget
2026-01-09 12:38 ` Patrick Steinhardt
2026-01-10 17:26 ` brian m. carlson
2026-01-15 21:14 ` Jeff King
2026-01-15 21:36 ` Junio C Hamano
2026-01-15 23:12 ` Johannes Schindelin
2026-01-16 6:45 ` Patrick Steinhardt
2026-01-16 12:12 ` Ondrej Pohorelsky
2026-01-16 15:21 ` Junio C Hamano
2026-01-16 18:46 ` Johannes Schindelin
2026-01-16 19:24 ` Junio C Hamano
2026-01-19 7:20 ` Patrick Steinhardt
2026-01-19 22:16 ` brian m. carlson
2026-01-20 2:41 ` D. Ben Knoble
2026-01-20 17:05 ` Junio C Hamano
2026-01-20 19:31 ` Jeff King
2026-01-20 20:11 ` Junio C Hamano
2026-01-21 7:39 ` Patrick Steinhardt
2026-01-22 12:29 ` Johannes Schindelin
2026-01-22 17:58 ` Junio C Hamano
2026-01-15 23:10 ` brian m. carlson
2026-02-03 1:11 ` Junio C Hamano
2026-02-03 7:12 ` Johannes Schindelin
2026-02-03 19:00 ` Junio C Hamano
2026-02-04 19:35 ` Junio C Hamano
2026-01-16 19:47 ` Johannes Schindelin [this message]
2026-01-16 22:26 ` [PATCH v3 0/5] Sanitize sideband channel messages Johannes Schindelin via GitGitGadget
2026-01-16 22:26 ` [PATCH v3 1/5] sideband: mask control characters Johannes Schindelin via GitGitGadget
2026-01-16 22:26 ` [PATCH v3 2/5] sideband: introduce an "escape hatch" to allow " Johannes Schindelin via GitGitGadget
2026-01-16 22:26 ` [PATCH v3 3/5] sideband: do allow ANSI color sequences by default Johannes Schindelin via GitGitGadget
2026-01-16 22:26 ` [PATCH v3 4/5] sideband: add options to allow more control sequences to be passed through Johannes Schindelin via GitGitGadget
2026-01-16 22:26 ` [PATCH v3 5/5] sideband: offer to configure sanitizing on a per-URL basis Johannes Schindelin via GitGitGadget
2026-01-16 22:32 ` [PATCH v3 0/5] Sanitize sideband channel messages Johannes Schindelin
2026-02-03 10:17 ` [PATCH v4 0/6] " Johannes Schindelin via GitGitGadget
2026-02-03 10:17 ` [PATCH v4 1/6] sideband: mask control characters Johannes Schindelin via GitGitGadget
2026-02-03 10:17 ` [PATCH v4 2/6] sideband: introduce an "escape hatch" to allow " Johannes Schindelin via GitGitGadget
2026-02-03 10:17 ` [PATCH v4 3/6] sideband: do allow ANSI color sequences by default Johannes Schindelin via GitGitGadget
2026-02-03 10:18 ` [PATCH v4 4/6] sideband: add options to allow more control sequences to be passed through Johannes Schindelin via GitGitGadget
2026-02-03 10:18 ` [PATCH v4 5/6] sideband: offer to configure sanitizing on a per-URL basis Johannes Schindelin via GitGitGadget
2026-02-03 10:18 ` [PATCH v4 6/6] sideband: delay sanitizing by default to Git v3.0 Johannes Schindelin via GitGitGadget
2026-02-04 19:26 ` [PATCH v4 0/6] Sanitize sideband channel messages Junio C Hamano
2026-02-05 14:48 ` Junio C Hamano
2026-02-13 23:50 ` Junio C Hamano
2026-03-02 18:11 ` [PATCH 0/3] Sanitizing sideband output Junio C Hamano
2026-03-02 18:11 ` [PATCH 1/3] sideband: drop 'default' configuration Junio C Hamano
2026-03-02 18:11 ` [PATCH 2/3] sideband: delay sanitizing by default to Git v3.0 Junio C Hamano
2026-03-02 18:11 ` [PATCH 3/3] sideband: conditional documentation fix Junio C Hamano
2026-03-05 23:34 ` [PATCH v5 0/7] Sanitizing sideband output Junio C Hamano
2026-03-05 23:34 ` [PATCH v5 1/7] sideband: mask control characters Junio C Hamano
2026-03-05 23:34 ` [PATCH v5 2/7] sideband: introduce an "escape hatch" to allow " Junio C Hamano
2026-03-05 23:34 ` [PATCH v5 3/7] sideband: do allow ANSI color sequences by default Junio C Hamano
2026-03-05 23:34 ` [PATCH v5 4/7] sideband: add options to allow more control sequences to be passed through Junio C Hamano
2026-03-05 23:34 ` [PATCH v5 5/7] sideband: offer to configure sanitizing on a per-URL basis Junio C Hamano
2026-03-05 23:34 ` [PATCH v5 6/7] sideband: drop 'default' configuration Junio C Hamano
2026-03-05 23:34 ` [PATCH v5 7/7] sideband: delay sanitizing by default to Git v3.0 Junio C Hamano
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=bb319446-a655-42b7-00b4-581fb9290843@gmx.de \
--to=johannes.schindelin@gmx.de \
--cc=git@vger.kernel.org \
--cc=gitgitgadget@gmail.com \
--cc=opohorel@redhat.com \
--cc=phillip.wood123@gmail.com \
--cc=ps@pks.im \
--cc=sandals@crustytoothpaste.net \
--cc=schwab@linux-m68k.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox