Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

--no-ansi regression #10601

Closed
ktomk opened this issue Mar 9, 2022 · 3 comments
Closed

--no-ansi regression #10601

ktomk opened this issue Mar 9, 2022 · 3 comments
Labels
Milestone

Comments

@ktomk
Copy link
Contributor

ktomk commented Mar 9, 2022

Since composer/packagist@86244a3 here in #10582 composers global --no-ansi switch does not work properly any longer for the binary sequence that was introduced by that change.

It looks like composer passes this information unchecked and unfiltered into the users shell.

@Seldaek Seldaek added the Bug label Mar 9, 2022
@Seldaek Seldaek added this to the 2.2 milestone Mar 9, 2022
@ktomk
Copy link
Contributor Author

ktomk commented Mar 14, 2022

@Seldaek: Thanks for taking care. While stumbling over it, it is perhaps useful to refuse using any message if it contains one or more NUL bytes - and perhaps everything of C0 (apart what you need for colors as not possible to strip) - just to lower the injection potential into the users shell. You perhaps already thought about it.

@Seldaek
Copy link
Member

Seldaek commented Mar 14, 2022

Let's be honest, if a repository wants to mess with you, it can serve you URLs to packages with malware in them.. so I think we can assume some amount of good-will/trust here.

@ktomk
Copy link
Contributor Author

ktomk commented Mar 14, 2022

Okay, let's be honest: A NUL byte / C0 check would also not turn this into a malware shield. I had more my own terminal messes in mind when injecting control characters than anything else. More error correction than anything else.

So better make the regex pattern filtering out actual ANSI sequences first of all - if anything.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Projects
None yet
Development

No branches or pull requests

2 participants