filter out control characters in error messages

giveup changed to filter out control characters. (It is too low level to make it use StringContainingQuotedPath.) error still does not, but it should only be used for internal errors, where the message is not attacker-controlled. Changed a lot of existing error to giveup when it is not strictly an internal error. Of course, other exceptions can still be thrown, either by code in git-annex, or a library, that include some attacker-controlled value. This does not guard against those. Sponsored-by: Noam Kremen on Patreon
2023-04-10 13:38:14 -04:00 · 2023-04-10 13:38:14 -04:00 · cd544e548b
commit cd544e548b
parent 063c00e4f7
69 changed files with 142 additions and 103 deletions
--- a/doc/todo/terminal_escapes_in_filenames.mdwn
+++ b/doc/todo/terminal_escapes_in_filenames.mdwn
@ -36,7 +36,7 @@ behave more like git.
 > Update: Most git-annex commands now quote filenames, due to work on
 > ActionItem display. `git-annex find`, `git-annex info $file`,
 > and everywhere filenames get
-> embedded in error messages, warnings, info messages, still need to be done.
+> embedded in warnings, info messages, still need to be done.

 ----

@ -59,3 +59,9 @@ out control characters. If such an url even can be parsed?

 Also: git-annex initremote with autoenable may be able to cause a remote
 with a malicious name to be set up?
+
+Also: Any place that an exception is thrown with an attacker-controlled value.
+`giveup` has been made to filter out control characters, but that leave
+other exceptions, including ones thrown by libraries. Catch all exceptions
+at top-level (of program and/or worker threads) and filter out control
+characters?