From: Johannes Schindelin <Johannes.Schindelin@gmx•de>
To: Junio C Hamano <gitster@pobox•com>
Cc: Jeff King <peff@peff•net>,
"brian m. carlson" <sandals@crustytoothpaste•net>,
Patrick Steinhardt <ps@pks•im>,
Johannes Schindelin via GitGitGadget <gitgitgadget@gmail•com>,
git@vger•kernel.org, Phillip Wood <phillip.wood123@gmail•com>,
Andreas Schwab <schwab@linux-m68k•org>,
Ondrej Pohorelsky <opohorel@redhat•com>
Subject: Re: [PATCH v2 4/4] sideband: add options to allow more control sequences to be passed through
Date: Tue, 3 Feb 2026 08:12:47 +0100 (CET) [thread overview]
Message-ID: <22d81c06-6ef8-dadb-5f1c-cd9461bb290d@gmx.de> (raw)
In-Reply-To: <xmqqo6m6vdf8.fsf@gitster.g>
Hi Junio,
On Tue, 3 Feb 2026, Junio C Hamano wrote:
> "brian m. carlson" <sandals@crustytoothpaste•net> writes:
>
> > On 2026-01-15 at 21:14:48, Jeff King wrote:
> >> Is there any reason we cannot introduce the new functionality as a
> >> config option but _not_ enable it by default?
> >>
> >> That gives people the tools to protect themselves if they want to bear
> >> the potential cost. It just feels a shame to deny them the tool because
> >> we can't agree on the default.
> >
> > Yes, I think that would be a fine and reasonable approach.
>
> Absolutely.
I disagree with neutering this security fix. Let me explain why, and then
propose a compromise.
CVE-2024-52005 exists because Git passes untrusted payload to the terminal
without sanitization. The terminal interprets control sequences sent to it
(it has no way to distinguish between sequences Git _intended_ to send and
sequences a malicious remote slipped into the sideband). That
responsibility falls squarely on Git. Shifting it to terminal emulators is
not viable: they _cannot_ make that distinction.
This is not about one specific vulnerability (OSC 8 or otherwise). It is
about the principle that programs must sanitize untrusted input before
passing it to an interpreter. Terminal emulators are interpreters. The set
of exploitable sequences changes over time as terminals add features; the
only durable fix is sanitization at the source.
Now, about breaking existing users.
The patches I submitted _do not_ break pre-receive hooks that emit color
sequences. Color sequences are allowed by default. What is disabled by
default are sequences that set the window title, query terminal state,
move the cursor, etc. (functionality that legitimate hooks have no
business using, and functionality that is ripe for exploitation).
The concern about Japanese ISO encodings colliding with control bytes is
theoretical at best: sideband messages are prefixed with the ASCII string
"remote: ", so any such encoding would already be broken today.
Here is the problem with "off by default".
Turning the sanitization off by default means CVE-2024-52005 remains
unaddressed for the vast majority of users. Providing an opt-in config is
security theater: users who do not know about the vulnerability will not
enable the protection. That is the opposite of defense in depth.
Fedora's decision to ship with sanitization disabled does not validate the
approach; it reflects their reluctance to diverge from upstream defaults,
not a security analysis concluding that the default is safe.
That said, I can see a path forward.
1. Turn sanitization _off_ by default in 2.x.
2. Document clearly that this default will change.
3. In Git 3.0 (the next breaking-changes release), flip the default so
that `sideband.allowControlCharacters=color` is the baseline, i.e.
color sequences pass through, but nothing else does.
This gives users and tooling (and support engineers) time to adapt while
committing to secure-by-default behavior in the near future.
I would appreciate hearing from anyone on the list with security
expertise. The principle that untrusted input must be sanitized before
reaching an interpreter is foundational; I am not aware of any credible
security guidance that says otherwise.
Ciao,
Dscho
next prev parent reply other threads:[~2026-02-03 7:13 UTC|newest]
Thread overview: 85+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-01-14 18:19 [PATCH 0/3] Sanitize sideband channel messages Johannes Schindelin via GitGitGadget
2025-01-14 18:19 ` [PATCH 1/3] sideband: mask control characters Johannes Schindelin via GitGitGadget
2025-01-15 14:49 ` Phillip Wood
2025-12-02 15:43 ` Johannes Schindelin
2025-01-15 15:17 ` Andreas Schwab
2025-01-15 16:24 ` Junio C Hamano
2025-01-14 18:19 ` [PATCH 2/3] sideband: introduce an "escape hatch" to allow " Johannes Schindelin via GitGitGadget
2025-01-14 18:19 ` [PATCH 3/3] sideband: do allow ANSI color sequences by default Johannes Schindelin via GitGitGadget
2025-01-14 22:50 ` [PATCH 0/3] Sanitize sideband channel messages brian m. carlson
2025-01-16 6:45 ` Junio C Hamano
2025-01-28 16:03 ` Ondrej Pohorelsky
2025-01-31 17:55 ` Junio C Hamano
2025-12-02 14:11 ` Johannes Schindelin
2025-12-03 0:47 ` brian m. carlson
2025-12-03 8:04 ` Johannes Schindelin
2025-01-15 14:49 ` Phillip Wood
2025-12-02 14:56 ` Johannes Schindelin
2025-12-17 14:23 ` [PATCH v2 0/4] " Johannes Schindelin via GitGitGadget
2025-12-17 14:23 ` [PATCH v2 1/4] sideband: mask control characters Johannes Schindelin via GitGitGadget
2026-01-09 12:38 ` Patrick Steinhardt
2026-01-16 19:29 ` Johannes Schindelin
2025-12-17 14:23 ` [PATCH v2 2/4] sideband: introduce an "escape hatch" to allow " Johannes Schindelin via GitGitGadget
2025-12-18 2:22 ` Junio C Hamano
2025-12-18 17:59 ` Johannes Schindelin
2025-12-19 13:33 ` Junio C Hamano
2026-01-16 19:25 ` Johannes Schindelin
2026-01-09 12:38 ` Patrick Steinhardt
2025-12-17 14:23 ` [PATCH v2 3/4] sideband: do allow ANSI color sequences by default Johannes Schindelin via GitGitGadget
2026-01-09 12:38 ` Patrick Steinhardt
2026-01-16 19:38 ` Johannes Schindelin
2025-12-17 14:23 ` [PATCH v2 4/4] sideband: add options to allow more control sequences to be passed through Johannes Schindelin via GitGitGadget
2026-01-09 12:38 ` Patrick Steinhardt
2026-01-10 17:26 ` brian m. carlson
2026-01-15 21:14 ` Jeff King
2026-01-15 21:36 ` Junio C Hamano
2026-01-15 23:12 ` Johannes Schindelin
2026-01-16 6:45 ` Patrick Steinhardt
2026-01-16 12:12 ` Ondrej Pohorelsky
2026-01-16 15:21 ` Junio C Hamano
2026-01-16 18:46 ` Johannes Schindelin
2026-01-16 19:24 ` Junio C Hamano
2026-01-19 7:20 ` Patrick Steinhardt
2026-01-19 22:16 ` brian m. carlson
2026-01-20 2:41 ` D. Ben Knoble
2026-01-20 17:05 ` Junio C Hamano
2026-01-20 19:31 ` Jeff King
2026-01-20 20:11 ` Junio C Hamano
2026-01-21 7:39 ` Patrick Steinhardt
2026-01-22 12:29 ` Johannes Schindelin
2026-01-22 17:58 ` Junio C Hamano
2026-01-15 23:10 ` brian m. carlson
2026-02-03 1:11 ` Junio C Hamano
2026-02-03 7:12 ` Johannes Schindelin [this message]
2026-02-03 19:00 ` Junio C Hamano
2026-02-04 19:35 ` Junio C Hamano
2026-01-16 19:47 ` Johannes Schindelin
2026-01-16 22:26 ` [PATCH v3 0/5] Sanitize sideband channel messages Johannes Schindelin via GitGitGadget
2026-01-16 22:26 ` [PATCH v3 1/5] sideband: mask control characters Johannes Schindelin via GitGitGadget
2026-01-16 22:26 ` [PATCH v3 2/5] sideband: introduce an "escape hatch" to allow " Johannes Schindelin via GitGitGadget
2026-01-16 22:26 ` [PATCH v3 3/5] sideband: do allow ANSI color sequences by default Johannes Schindelin via GitGitGadget
2026-01-16 22:26 ` [PATCH v3 4/5] sideband: add options to allow more control sequences to be passed through Johannes Schindelin via GitGitGadget
2026-01-16 22:26 ` [PATCH v3 5/5] sideband: offer to configure sanitizing on a per-URL basis Johannes Schindelin via GitGitGadget
2026-01-16 22:32 ` [PATCH v3 0/5] Sanitize sideband channel messages Johannes Schindelin
2026-02-03 10:17 ` [PATCH v4 0/6] " Johannes Schindelin via GitGitGadget
2026-02-03 10:17 ` [PATCH v4 1/6] sideband: mask control characters Johannes Schindelin via GitGitGadget
2026-02-03 10:17 ` [PATCH v4 2/6] sideband: introduce an "escape hatch" to allow " Johannes Schindelin via GitGitGadget
2026-02-03 10:17 ` [PATCH v4 3/6] sideband: do allow ANSI color sequences by default Johannes Schindelin via GitGitGadget
2026-02-03 10:18 ` [PATCH v4 4/6] sideband: add options to allow more control sequences to be passed through Johannes Schindelin via GitGitGadget
2026-02-03 10:18 ` [PATCH v4 5/6] sideband: offer to configure sanitizing on a per-URL basis Johannes Schindelin via GitGitGadget
2026-02-03 10:18 ` [PATCH v4 6/6] sideband: delay sanitizing by default to Git v3.0 Johannes Schindelin via GitGitGadget
2026-02-04 19:26 ` [PATCH v4 0/6] Sanitize sideband channel messages Junio C Hamano
2026-02-05 14:48 ` Junio C Hamano
2026-02-13 23:50 ` Junio C Hamano
2026-03-02 18:11 ` [PATCH 0/3] Sanitizing sideband output Junio C Hamano
2026-03-02 18:11 ` [PATCH 1/3] sideband: drop 'default' configuration Junio C Hamano
2026-03-02 18:11 ` [PATCH 2/3] sideband: delay sanitizing by default to Git v3.0 Junio C Hamano
2026-03-02 18:11 ` [PATCH 3/3] sideband: conditional documentation fix Junio C Hamano
2026-03-05 23:34 ` [PATCH v5 0/7] Sanitizing sideband output Junio C Hamano
2026-03-05 23:34 ` [PATCH v5 1/7] sideband: mask control characters Junio C Hamano
2026-03-05 23:34 ` [PATCH v5 2/7] sideband: introduce an "escape hatch" to allow " Junio C Hamano
2026-03-05 23:34 ` [PATCH v5 3/7] sideband: do allow ANSI color sequences by default Junio C Hamano
2026-03-05 23:34 ` [PATCH v5 4/7] sideband: add options to allow more control sequences to be passed through Junio C Hamano
2026-03-05 23:34 ` [PATCH v5 5/7] sideband: offer to configure sanitizing on a per-URL basis Junio C Hamano
2026-03-05 23:34 ` [PATCH v5 6/7] sideband: drop 'default' configuration Junio C Hamano
2026-03-05 23:34 ` [PATCH v5 7/7] sideband: delay sanitizing by default to Git v3.0 Junio C Hamano
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=22d81c06-6ef8-dadb-5f1c-cd9461bb290d@gmx.de \
--to=johannes.schindelin@gmx$(echo .)de \
--cc=git@vger$(echo .)kernel.org \
--cc=gitgitgadget@gmail$(echo .)com \
--cc=gitster@pobox$(echo .)com \
--cc=opohorel@redhat$(echo .)com \
--cc=peff@peff$(echo .)net \
--cc=phillip.wood123@gmail$(echo .)com \
--cc=ps@pks$(echo .)im \
--cc=sandals@crustytoothpaste$(echo .)net \
--cc=schwab@linux-m68k$(echo .)org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox