I'm not convinced that really cuts it. Namely, from the diff: - print(" %s" % (info["description"] or "")) + # strip ANSI escape sequences + description = re.sub(r"(\x9B|\x1B\[)[0-?]*[ -/]*[@-~]", + "", info["description"] or "") + + print(" %s" % description)
There are sequences that don't get filtered by that. Aside from the usual things like \r or \b, it looks like https://man7.org/linux/man- pages/man4/console_codes.4.html lists a few codes that defy it too. While that diff above might be the "stackoverflow answer", it doesn't seem complete. Instead, why not just adopt a whitelist policy? Only allow visible and space characters, or something like that. -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to software-properties in Ubuntu. https://bugs.launchpad.net/bugs/1890286 Title: ansi escape sequence injection in add-apt-repository Status in software-properties package in Ubuntu: Fix Released Bug description: This was reported to oss-security and to secur...@ubuntu.com, but I figure I should make a real bug report, as otherwise it'll probably be missed. Original post from https://www.openwall.com/lists/oss- security/2020/08/03/1 follows below. -- Hi, I've found a rather low grade concern: I'm able to inject ANSI escape sequences into PPA descriptions on Launchpad, and then have them rendered by add-apt-repository *before* the user consents to actually adding that repository. There might be some sort of trust barrier issue with that. This could be used to clear the screen and imitate a fresh bash prompt, upload files, dump the current screen to a file, or other classic shenanigans, well chronicled in the archives of oss-sec. PoC time -- I'm using this "feature" for good at the moment to announce the deprecation in bold text of a PPA that I maintain: https://data.zx2c4.com/add-apt-repository-ansi-injection.png The proper fix to this is likely to do sanitization on the add-apt-repository side. Regards, Jason To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/software-properties/+bug/1890286/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp