Fix Window Title Reporting security issue.

More info: https://seclists.org/fulldisclosure/2003/Feb/341
Maximus5 · Dec 19, 2022 · cd9bb86 · cd9bb86 · DRSDavidSoft · Jul 21, 2023
1 parent b57048d
commit cd9bb86
Show file tree

Hide file tree

Showing 3 changed files with 7 additions and 2 deletions.
diff --git a/src/ConEmuCD/ConAnsiImpl.cpp b/src/ConEmuCD/ConAnsiImpl.cpp
@@ -985,10 +985,11 @@ bool SrvAnsiImpl::ReportString(LPCWSTR asRet)
 	LPCWSTR pc = asRet;
 	for (int i = 0; i < nLen; i++, p++, pc++)
 	{
+		const char ch = (wcschr(UNSAFE_CONSOLE_REPORT_CHARS, *pc) == nullptr) ? *pc : L' ';
 		p->EventType = KEY_EVENT;
 		p->Event.KeyEvent.bKeyDown = TRUE;
 		p->Event.KeyEvent.wRepeatCount = 1;
-		p->Event.KeyEvent.uChar.UnicodeChar = *pc;
+		p->Event.KeyEvent.uChar.UnicodeChar = ch;
 	}
 
 	DumpKnownEscape(asRet, nLen, SrvAnsi::de_Report);

diff --git a/src/ConEmuHk/Ansi.cpp b/src/ConEmuHk/Ansi.cpp
@@ -2505,10 +2505,11 @@ BOOL CEAnsi::ReportString(LPCWSTR asRet)
 	LPCWSTR pc = asRet;
 	for (size_t i = 0; i < nLen; i++, p++, pc++)
 	{
+		const char ch = (wcschr(UNSAFE_CONSOLE_REPORT_CHARS, *pc) == nullptr) ? *pc : L' ';
 		p->EventType = KEY_EVENT;
 		p->Event.KeyEvent.bKeyDown = TRUE;
 		p->Event.KeyEvent.wRepeatCount = 1;
-		p->Event.KeyEvent.uChar.UnicodeChar = *pc;
+		p->Event.KeyEvent.uChar.UnicodeChar = ch;
 	}
 
 	DumpKnownEscape(asRet, nLen, de_Report);

diff --git a/src/common/WConsole.h b/src/common/WConsole.h
@@ -52,6 +52,9 @@ THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 #define DISABLE_NEWLINE_AUTO_RETURN 0x0008
 #endif
 
+// These keys should not be reported back to console input
+#define UNSAFE_CONSOLE_REPORT_CHARS L"\r\n\t"
+
 struct MY_CONSOLE_SCREEN_BUFFER_INFOEX
 {
 	ULONG      cbSize;