From cd9bb863603d6d515de921f31de0a1986dcd6f7e Mon Sep 17 00:00:00 2001
From: Maximus5 <ConEmu.Maximus5@gmail.com>
Date: Mon, 19 Dec 2022 03:53:33 +0100
Subject: [PATCH] Fix Window Title Reporting security issue.

More info: https://seclists.org/fulldisclosure/2003/Feb/341
---
 src/ConEmuCD/ConAnsiImpl.cpp | 3 ++-
 src/ConEmuHk/Ansi.cpp        | 3 ++-
 src/common/WConsole.h        | 3 +++
 3 files changed, 7 insertions(+), 2 deletions(-)

diff --git a/src/ConEmuCD/ConAnsiImpl.cpp b/src/ConEmuCD/ConAnsiImpl.cpp
index c2480a035e..9ae09d2633 100644
--- a/src/ConEmuCD/ConAnsiImpl.cpp
+++ b/src/ConEmuCD/ConAnsiImpl.cpp
@@ -985,10 +985,11 @@ bool SrvAnsiImpl::ReportString(LPCWSTR asRet)
 	LPCWSTR pc = asRet;
 	for (int i = 0; i < nLen; i++, p++, pc++)
 	{
+		const char ch = (wcschr(UNSAFE_CONSOLE_REPORT_CHARS, *pc) == nullptr) ? *pc : L' ';
 		p->EventType = KEY_EVENT;
 		p->Event.KeyEvent.bKeyDown = TRUE;
 		p->Event.KeyEvent.wRepeatCount = 1;
-		p->Event.KeyEvent.uChar.UnicodeChar = *pc;
+		p->Event.KeyEvent.uChar.UnicodeChar = ch;
 	}
 
 	DumpKnownEscape(asRet, nLen, SrvAnsi::de_Report);
diff --git a/src/ConEmuHk/Ansi.cpp b/src/ConEmuHk/Ansi.cpp
index fa8ae4b578..ad09771460 100644
--- a/src/ConEmuHk/Ansi.cpp
+++ b/src/ConEmuHk/Ansi.cpp
@@ -2505,10 +2505,11 @@ BOOL CEAnsi::ReportString(LPCWSTR asRet)
 	LPCWSTR pc = asRet;
 	for (size_t i = 0; i < nLen; i++, p++, pc++)
 	{
+		const char ch = (wcschr(UNSAFE_CONSOLE_REPORT_CHARS, *pc) == nullptr) ? *pc : L' ';
 		p->EventType = KEY_EVENT;
 		p->Event.KeyEvent.bKeyDown = TRUE;
 		p->Event.KeyEvent.wRepeatCount = 1;
-		p->Event.KeyEvent.uChar.UnicodeChar = *pc;
+		p->Event.KeyEvent.uChar.UnicodeChar = ch;
 	}
 
 	DumpKnownEscape(asRet, nLen, de_Report);
diff --git a/src/common/WConsole.h b/src/common/WConsole.h
index b855a690ab..240605eec4 100644
--- a/src/common/WConsole.h
+++ b/src/common/WConsole.h
@@ -52,6 +52,9 @@ THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 #define DISABLE_NEWLINE_AUTO_RETURN 0x0008
 #endif
 
+// These keys should not be reported back to console input
+#define UNSAFE_CONSOLE_REPORT_CHARS L"\r\n\t"
+
 struct MY_CONSOLE_SCREEN_BUFFER_INFOEX
 {
 	ULONG      cbSize;