undefined | Better HN

0 pointscouchand10y ago0 comments

Why would git strip formatting from my message? If my team wants colorful messages why should git be the one to say we're wrong?

Git commit messages are used for lots of different things, but at the end of the day it's just another piece of data included in a hash in a content-addressable file system.

If you're doing something with that tool where including formatting like this would be considered a vulnerability, it's on you to take care of that. It's exactly the same with any other bug or exploit in your codebase: it's not git's fault that you committed it.

0 comments

trampi10y ago

If you need to have this feature, then you should have to opt in (git config for example). But i have very good reasons to say that the default should properly escape the messages before printing them. I would not like it to clone a repo from github and having "git log" let my terminal go crazy. You unterstand, that this issue can have bigger impact than blinking commit messages, right?

couchandOP10y ago

Terminal attacks are not new and the solution isn't to expect every individual program to escape terminal escape codes.

    The ideal solution is to sanitize all data before displaying it
    on your terminal, however without a custom terminal application
    or data filter, you can't guarantee that every tool you use on
    the command-line is going to strip escape sequences. The
    responsibility should rest on the actual terminal emulator; any
    features that allow file or command-line access should be
    disabled by default and more attention should be paid to new
    features that implement any use of escape sequences. [0]

Are you cloning untrusted repositories to your computer and running git log blindly?

[0]: http://marc.info/?l=bugtraq&m=104612710031920

tetrep10y ago

no?

I mean, it would be super nice for your terminal emulator to just automagically filter out escape sequences when you, the user, do not want them and to allow them for programs that you do. a whitelist would work but would be super annoying to actually verify as so many programs output things from so many different inputs. it seems like programs themselves should decide if they need to output arbitrary data and, in cases where they don't, like git, they can filter it.

1 more reply

j / k navigate · click thread line to collapse