Strip control characters from info screen titles

natoscott · claude · natoscott · commit 001eb635dfe3 · 2026-05-18T11:03:16.000+10:00
Sanitise the title string in InfoScreen_drawTitled() before passing it to mvaddstr(), preventing terminal escape sequence injection via crafted process argv[0]. Adds Char_isControl() and String_stripControlChars() helpers to XUtils for reuse. Closes: GHSA-q64m-h5hc-c4qq Reported-by: Michał Majchrowicz (AFINE Team) Reported-by: Marcin Wyczechowski (AFINE Team) Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
diff --git a/InfoScreen.c b/InfoScreen.c
@@ -59,6 +59,8 @@ void InfoScreen_drawTitled(InfoScreen* this, const char* fmt, ...) {
       memset(&title[COLS - 3], '.', 3);
    }
 
+   String_stripControlChars(title);
+
    attrset(CRT_colors[METER_TEXT]);
    mvhline(0, 0, ' ', COLS);
    mvaddstr(0, 0, title);
diff --git a/XUtils.h b/XUtils.h
@@ -131,6 +131,19 @@ static inline ssize_t full_write_str(int fd, const char* str) {
    return full_write(fd, str, strlen(str));
 }
 
+static inline bool Char_isControl(char c) {
+   return (unsigned char)c < ' ' || c == '\x7F';
+}
+
+/* Replace control characters (C0 and DEL) with a safe substitute. */
+ATTR_NONNULL
+static inline void String_stripControlChars(char* s) {
+   for (; *s; s++) {
+      if (Char_isControl(*s))
+         *s = '?';
+   }
+}
+
 /* Compares floating point values for ordering data entries. In this function,
    NaN is considered "less than" any other floating point value (regardless of
    sign), and two NaNs are considered "equal" regardless of payload. */

Original file line number	Diff line number	Diff line change
`@@ -59,6 +59,8 @@ void InfoScreen_drawTitled(InfoScreen* this, const char* fmt, ...) {`
`59`	`59`	`memset(&title[COLS - 3], '.', 3);`
`60`	`60`	`}`
`61`	`61`
	`62`	`+ String_stripControlChars(title);`
	`63`	`+`
`62`	`64`	`attrset(CRT_colors[METER_TEXT]);`
`63`	`65`	`mvhline(0, 0, ' ', COLS);`
`64`	`66`	`mvaddstr(0, 0, title);`