I'm not convinced that really cuts it. Namely, from the diff:
- print(" %s" % (info["description"] or ""))
+ # strip ANSI escape sequences
+ description = re.sub(r"(\x9B|\x1B\[)[0-?]*[ -/]*[@-~]",
+ "", info["description"] or "")
+
+ print(" %s" % description)
There are sequences that don't get filtered by that. Aside from the
usual things like \r or \b, it looks like https://man7.org/linux/man-
pages/man4/console_codes.4.html lists a few codes that defy it too.
While that diff above might be the "stackoverflow answer", it doesn't
seem complete.
Instead, why not just adopt a whitelist policy? Only allow visible and
space characters, or something like that.
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1890286
Title:
ansi escape sequence injection in add-apt-repository
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/software-properties/+bug/1890286/+subscriptions
--
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
