From: Johannes Schindelin <Johannes.Schindelin@gmx•de>
To: Junio C Hamano <gitster@pobox•com>
Cc: "brian m. carlson" <sandals@crustytoothpaste•net>,
Patrick Steinhardt <ps@pks•im>,
Ondrej Pohorelsky <opohorel@redhat•com>,
Jeff King <peff@peff•net>,
Johannes Schindelin via GitGitGadget <gitgitgadget@gmail•com>,
git@vger•kernel.org, Phillip Wood <phillip.wood123@gmail•com>,
Andreas Schwab <schwab@linux-m68k•org>
Subject: Re: [PATCH v2 4/4] sideband: add options to allow more control sequences to be passed through
Date: Thu, 22 Jan 2026 13:29:16 +0100 (CET) [thread overview]
Message-ID: <a51f9433-e82f-bc2c-5fc4-f8ae95a859f8@gmx.de> (raw)
In-Reply-To: <xmqqa4y81ag8.fsf@gitster.g>
Hi Junio,
I disagree with making sideband sanitization opt-in or weakening it based
on a "trusted remote" heuristic. In this context, emitting untrusted bytes
to a terminal without proper sanitization is a security-relevant bug;
safe-by-default should be the baseline.
On Tue, 20 Jan 2026, Junio C Hamano wrote:
> [...] forcing this filtering on everybody [...] unless it is enabled by
> default. [...]
If the goal is to mitigate terminal escape injection from
remote-controlled output, then shipping it disabled by default does not
mitigate the default case. Most users will not discover or enable a
hardening knob until after an incident.
> Two levels of defaults [...] trusted daily remotes vs new remotes.
> [...]
I don't think we can safely infer "trusted enough to write to my terminal"
from "I fetch from there often". A previously-trusted remote can be
compromised, after all. Which means that a trust-based default is a
foot-gun: it creates a path where users believe they're protected while
the program is intentionally passing through attacker-controlled escape
sequences.
Besides, allowing "colorful output from their hooks" _is already allowed
by default_ in the proposed patch series. The config variable
`sideband.allowControlCharacters` isn't an "all or nothing" setting, after
all.
> [...] you shouldn't have to manually configure "I accept colors from
> them". [...]
Color is already a narrowly-scoped exception. Cursor movement / erase
sequences are in a different category because they can rewrite prior
output and hide what actually happened. If we want to allow them, it
should remain explicit opt-in on the client, not something we enable
automatically based on repository state.
If the argument is "setting `sideband.allowControlCharacters` to `color`
by default breaks common workflows on established remotes",
can you point to a concrete repro (hook snippet + terminal + escape
sequences relied on) or a public example? Without that, I don't think we
should bias the default toward pass-through of higher-risk sequences.
Absent such evidence, the best way to proceed is to keep sanitization
enabled by default for sideband output (modulo color), with the clearly
documented escape hatch for users who knowingly want additional sequences.
If there is a strong need for per-remote behavior, there is
`sideband.<url>.allowControlCharacters`, as per v3), i.e. users _do_ have
that option _after_ stating that they trust that particular remote not to
wreak havoc with their terminal.
Also keep in mind that this patch series' scope is the sideband channel;
The fact that SSH-based transports patch through `stderr` (completely
side-stepping sideband) is out of scope.
Ciao,
Johannes
P.S.: Junio: if we continue to discuss "opt-in"/"opt-out", I think we
need to be more explicit about which behavior we mean. We now have multiple
levels in `sideband.allowControlCharacters` (default allows color;
`cursor`, `erase`, `false` and `true` allow more fine-grained levels).
If the proposal is "full pass-through of all control characters is
opt-in", or "full sanitizing of all control characters is opt-in", I
whole-heartedly agree: That is already opt-in via setting
`sideband.allowControlCharacters` to `false` or `true`, respectively.
If the proposal is "keep the historical behavior (verbatim sideband
payload, no sanitization) as the default, and make sanitization opt-in", I
am firmly opposed: This makes the sideband payload remote-controlled; A
security hardening that is off by default will not protect the default
user population.
Can you confirm which of these two meanings you intend when you say
"opt-in" here? Once that's clarified, we can discuss whether the default
should remain at "color-only" (today's default) with explicit opt-in for
riskier sequences, or whether you're arguing for no filtering at all by
default.
next prev parent reply other threads:[~2026-01-22 12:29 UTC|newest]
Thread overview: 85+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-01-14 18:19 [PATCH 0/3] Sanitize sideband channel messages Johannes Schindelin via GitGitGadget
2025-01-14 18:19 ` [PATCH 1/3] sideband: mask control characters Johannes Schindelin via GitGitGadget
2025-01-15 14:49 ` Phillip Wood
2025-12-02 15:43 ` Johannes Schindelin
2025-01-15 15:17 ` Andreas Schwab
2025-01-15 16:24 ` Junio C Hamano
2025-01-14 18:19 ` [PATCH 2/3] sideband: introduce an "escape hatch" to allow " Johannes Schindelin via GitGitGadget
2025-01-14 18:19 ` [PATCH 3/3] sideband: do allow ANSI color sequences by default Johannes Schindelin via GitGitGadget
2025-01-14 22:50 ` [PATCH 0/3] Sanitize sideband channel messages brian m. carlson
2025-01-16 6:45 ` Junio C Hamano
2025-01-28 16:03 ` Ondrej Pohorelsky
2025-01-31 17:55 ` Junio C Hamano
2025-12-02 14:11 ` Johannes Schindelin
2025-12-03 0:47 ` brian m. carlson
2025-12-03 8:04 ` Johannes Schindelin
2025-01-15 14:49 ` Phillip Wood
2025-12-02 14:56 ` Johannes Schindelin
2025-12-17 14:23 ` [PATCH v2 0/4] " Johannes Schindelin via GitGitGadget
2025-12-17 14:23 ` [PATCH v2 1/4] sideband: mask control characters Johannes Schindelin via GitGitGadget
2026-01-09 12:38 ` Patrick Steinhardt
2026-01-16 19:29 ` Johannes Schindelin
2025-12-17 14:23 ` [PATCH v2 2/4] sideband: introduce an "escape hatch" to allow " Johannes Schindelin via GitGitGadget
2025-12-18 2:22 ` Junio C Hamano
2025-12-18 17:59 ` Johannes Schindelin
2025-12-19 13:33 ` Junio C Hamano
2026-01-16 19:25 ` Johannes Schindelin
2026-01-09 12:38 ` Patrick Steinhardt
2025-12-17 14:23 ` [PATCH v2 3/4] sideband: do allow ANSI color sequences by default Johannes Schindelin via GitGitGadget
2026-01-09 12:38 ` Patrick Steinhardt
2026-01-16 19:38 ` Johannes Schindelin
2025-12-17 14:23 ` [PATCH v2 4/4] sideband: add options to allow more control sequences to be passed through Johannes Schindelin via GitGitGadget
2026-01-09 12:38 ` Patrick Steinhardt
2026-01-10 17:26 ` brian m. carlson
2026-01-15 21:14 ` Jeff King
2026-01-15 21:36 ` Junio C Hamano
2026-01-15 23:12 ` Johannes Schindelin
2026-01-16 6:45 ` Patrick Steinhardt
2026-01-16 12:12 ` Ondrej Pohorelsky
2026-01-16 15:21 ` Junio C Hamano
2026-01-16 18:46 ` Johannes Schindelin
2026-01-16 19:24 ` Junio C Hamano
2026-01-19 7:20 ` Patrick Steinhardt
2026-01-19 22:16 ` brian m. carlson
2026-01-20 2:41 ` D. Ben Knoble
2026-01-20 17:05 ` Junio C Hamano
2026-01-20 19:31 ` Jeff King
2026-01-20 20:11 ` Junio C Hamano
2026-01-21 7:39 ` Patrick Steinhardt
2026-01-22 12:29 ` Johannes Schindelin [this message]
2026-01-22 17:58 ` Junio C Hamano
2026-01-15 23:10 ` brian m. carlson
2026-02-03 1:11 ` Junio C Hamano
2026-02-03 7:12 ` Johannes Schindelin
2026-02-03 19:00 ` Junio C Hamano
2026-02-04 19:35 ` Junio C Hamano
2026-01-16 19:47 ` Johannes Schindelin
2026-01-16 22:26 ` [PATCH v3 0/5] Sanitize sideband channel messages Johannes Schindelin via GitGitGadget
2026-01-16 22:26 ` [PATCH v3 1/5] sideband: mask control characters Johannes Schindelin via GitGitGadget
2026-01-16 22:26 ` [PATCH v3 2/5] sideband: introduce an "escape hatch" to allow " Johannes Schindelin via GitGitGadget
2026-01-16 22:26 ` [PATCH v3 3/5] sideband: do allow ANSI color sequences by default Johannes Schindelin via GitGitGadget
2026-01-16 22:26 ` [PATCH v3 4/5] sideband: add options to allow more control sequences to be passed through Johannes Schindelin via GitGitGadget
2026-01-16 22:26 ` [PATCH v3 5/5] sideband: offer to configure sanitizing on a per-URL basis Johannes Schindelin via GitGitGadget
2026-01-16 22:32 ` [PATCH v3 0/5] Sanitize sideband channel messages Johannes Schindelin
2026-02-03 10:17 ` [PATCH v4 0/6] " Johannes Schindelin via GitGitGadget
2026-02-03 10:17 ` [PATCH v4 1/6] sideband: mask control characters Johannes Schindelin via GitGitGadget
2026-02-03 10:17 ` [PATCH v4 2/6] sideband: introduce an "escape hatch" to allow " Johannes Schindelin via GitGitGadget
2026-02-03 10:17 ` [PATCH v4 3/6] sideband: do allow ANSI color sequences by default Johannes Schindelin via GitGitGadget
2026-02-03 10:18 ` [PATCH v4 4/6] sideband: add options to allow more control sequences to be passed through Johannes Schindelin via GitGitGadget
2026-02-03 10:18 ` [PATCH v4 5/6] sideband: offer to configure sanitizing on a per-URL basis Johannes Schindelin via GitGitGadget
2026-02-03 10:18 ` [PATCH v4 6/6] sideband: delay sanitizing by default to Git v3.0 Johannes Schindelin via GitGitGadget
2026-02-04 19:26 ` [PATCH v4 0/6] Sanitize sideband channel messages Junio C Hamano
2026-02-05 14:48 ` Junio C Hamano
2026-02-13 23:50 ` Junio C Hamano
2026-03-02 18:11 ` [PATCH 0/3] Sanitizing sideband output Junio C Hamano
2026-03-02 18:11 ` [PATCH 1/3] sideband: drop 'default' configuration Junio C Hamano
2026-03-02 18:11 ` [PATCH 2/3] sideband: delay sanitizing by default to Git v3.0 Junio C Hamano
2026-03-02 18:11 ` [PATCH 3/3] sideband: conditional documentation fix Junio C Hamano
2026-03-05 23:34 ` [PATCH v5 0/7] Sanitizing sideband output Junio C Hamano
2026-03-05 23:34 ` [PATCH v5 1/7] sideband: mask control characters Junio C Hamano
2026-03-05 23:34 ` [PATCH v5 2/7] sideband: introduce an "escape hatch" to allow " Junio C Hamano
2026-03-05 23:34 ` [PATCH v5 3/7] sideband: do allow ANSI color sequences by default Junio C Hamano
2026-03-05 23:34 ` [PATCH v5 4/7] sideband: add options to allow more control sequences to be passed through Junio C Hamano
2026-03-05 23:34 ` [PATCH v5 5/7] sideband: offer to configure sanitizing on a per-URL basis Junio C Hamano
2026-03-05 23:34 ` [PATCH v5 6/7] sideband: drop 'default' configuration Junio C Hamano
2026-03-05 23:34 ` [PATCH v5 7/7] sideband: delay sanitizing by default to Git v3.0 Junio C Hamano
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=a51f9433-e82f-bc2c-5fc4-f8ae95a859f8@gmx.de \
--to=johannes.schindelin@gmx$(echo .)de \
--cc=git@vger$(echo .)kernel.org \
--cc=gitgitgadget@gmail$(echo .)com \
--cc=gitster@pobox$(echo .)com \
--cc=opohorel@redhat$(echo .)com \
--cc=peff@peff$(echo .)net \
--cc=phillip.wood123@gmail$(echo .)com \
--cc=ps@pks$(echo .)im \
--cc=sandals@crustytoothpaste$(echo .)net \
--cc=schwab@linux-m68k$(echo .)org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox