]> Kevux Git Server - rit/commit
sideband: mask control characters
authorJohannes Schindelin <johannes.schindelin@gmx.de>
Thu, 5 Mar 2026 23:34:46 +0000 (15:34 -0800)
committerJunio C Hamano <gitster@pobox.com>
Fri, 6 Mar 2026 21:52:28 +0000 (13:52 -0800)
commit04949538203ba7aeb298a607280715d4f26dbe0a
treeac30b65abbdb6991d57d05f062b60ecd295a913b
parent67ad42147a7acc2af6074753ebd03d904476118f
sideband: mask control characters

The output of `git clone` is a vital component for understanding what
has happened when things go wrong. However, these logs are partially
under the control of the remote server (via the "sideband", which
typically contains what the remote `git pack-objects` process sends to
`stderr`), and is currently not sanitized by Git.

This makes Git susceptible to ANSI escape sequence injection (see
CWE-150, https://cwe.mitre.org/data/definitions/150.html), which allows
attackers to corrupt terminal state, to hide information, and even to
insert characters into the input buffer (i.e. as if the user had typed
those characters).

To plug this vulnerability, disallow any control character in the
sideband, replacing them instead with the common `^<letter/symbol>`
(e.g. `^[` for `\x1b`, `^A` for `\x01`).

There is likely a need for more fine-grained controls instead of using a
"heavy hammer" like this, which will be introduced subsequently.

Helped-by: Phillip Wood <phillip.wood@dunelm.org.uk>
Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de>
Signed-off-by: Junio C Hamano <gitster@pobox.com>
sideband.c
t/t5409-colorize-remote-messages.sh