[
https://issues.apache.org/jira/browse/PDFBOX-6045?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=18009239#comment-18009239
]
Michael Klink commented on PDFBOX-6045:
---------------------------------------
Removing such sequences IMO is not the best option.
When logging some text, one usually does so because one assumes that that text
may help in debugging certain problems. If you simply remove parts of the
string, the debugging person may be led astray by the appearance of the
remaining string, be it because the ESCape character or sequence is causing the
bug, or be it because removing the sequence shortens the string.
> Potential Console Corruption
> ----------------------------
>
> Key: PDFBOX-6045
> URL: https://issues.apache.org/jira/browse/PDFBOX-6045
> Project: PDFBox
> Issue Type: Bug
> Affects Versions: 4.0.0
> Reporter: David Justamante
> Priority: Minor
> Attachments: image1.png, image2.png
>
>
> This issue is being *manually* filed by the competition organizers. We
> recognize there is a number of AI generated submissions as of late. We have
> gone through the manual process of bug/patch validation to prevent
> unnecessary "noise", respecting maintainers' time.
> This submission is being sent as part of DARPA's AIxCC competition.
> (https://aicyberchallenge.com) This issue was discovered and validated by
> competition engineers during challenge development. The patch was manually
> constructed by the competition engineers.
> We found via fuzzing that our console would occasionally get corrupted. This
> is caused from not filtering user-generated data during logging (and our
> choice to log to the console).
> In the first screenshot, you can see the point when the corruption happens.
> In the second, you can see the overall outcome.
> !image1.png|width=720,height=77!
> !image2.png|width=2009,height=664!
> We think the fix is to prevent {{\u001b}} from being written to logs. There
> may be other solutions.
> The above shows corruption via the font or maybe encoding, but it would be
> possible to do other things that could be problematic for users logging to
> the console — like turning the text invisible or other things.
> Some relevant links:
> * [https://gist.github.com/fnky/458719343aabd01cfb17a3a4f7296797]
> * [https://www.youtube.com/watch?v=3T2Al3jdY38]
>
> (AIxCC Internal: CHA-1733)
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@pdfbox.apache.org
For additional commands, e-mail: dev-h...@pdfbox.apache.org
