On 2026-01-09 at 12:38:31, Patrick Steinhardt wrote: > On Wed, Dec 17, 2025 at 02:23:42PM +0000, Johannes Schindelin via GitGitGadget wrote: > > From: Johannes Schindelin > > > > Even though control sequences that erase characters are quite juicy for > > attack scenarios, where attackers are eager to hide traces of suspicious > > activities, during the review of the side band sanitizing patch series > > concerns were raised that there might be some legimitate scenarios where > > Git server's `pre-receive` hooks use those sequences in a benign way. > > > > Control sequences to move the cursor can likewise be used to hide tracks > > by overwriting characters, and have been equally pointed out as having > > legitimate users. > > > > Let's add options to let users opt into passing through those ANSI > > Escape sequences: `sideband.allowControlCharacters` now supports also > > `cursor` and `erase`, and it parses the value as a comma-separated list. > > Hm, okay. I don't really see much of a reason to allow these, but now > that the code exists already I don't see a reason why we should remove > those options again. The reason these sequences, along with other sequences not mentioned in this series, are useful is because people run tools like build tools (e.g., Cargo) or linters in pre-receive hooks and print the output and those use a substantial portion of possible escape sequences. I did a brief survey sometime back of pre-receive hooks on GitHub to see what escape sequences were in use. I think Heroku has a push-to-deploy technique that leverages this approach to build and deploy your app, for instance. This is one of the reasons that I was opposed to this series: it tends to break what is a very common use case. Certainly it is not as common for cloud-based forge environments, but it is very common for people to do these kinds of things in self-hosted forge environments (where custom pre-receive hooks are commonly used) or in non-forge environments like push-to-deploy. -- brian m. carlson (they/them) Toronto, Ontario, CA