I'm not convinced that really cuts it. Namely, from the diff: - print(" %s" % (info["description"] or "")) + # strip ANSI escape sequences + description = re.sub(r"(\x9B|\x1B\[)[0-?]*[ -/]*[@-~]", + "", info["description"] or "") + + print(" %s" % description)
There are sequences that don't get filtered by that. Aside from the usual things like \r or \b, it looks like https://man7.org/linux/man- pages/man4/console_codes.4.html lists a few codes that defy it too. While that diff above might be the "stackoverflow answer", it doesn't seem complete. Instead, why not just adopt a whitelist policy? Only allow visible and space characters, or something like that. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1890286 Title: ansi escape sequence injection in add-apt-repository To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/software-properties/+bug/1890286/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs