Open alexanderkjall opened 4 years ago
link to issues:
ncurses: https://github.com/jeaye/ncurses-rs/issues/196 pancurses: https://github.com/ihalila/pancurses/issues/77
Thank you very much for this!
I sort of missed the fact that a null byte was valid in a &str
- indeed it'll cause some trouble in FFI.
I suppose we should sanitize any input string (in addition to null bytes, we may want to remove some control codes as well).
First: is this a bug report? A suggestion? Or asking for help?
Just some information, and a small suggestion.
Problem description
I wrote a small setup to fuzz the display of untrusted strings with cursive: https://github.com/alexanderkjall/cursive/commit/fada64679f1c37eec59da9662404165d2602e4a2
default ncurses backend
crossterm backend
No issue found after half an hour of fuzzing.
pancurses-backend
termion-backend
This panic is in my fuzzing code, so it might be a false positive, but might also be some sort of resource leakage.
blt-backend
no fuzzing done, had a hard time to get this to work on ubuntu and my arch system isn't available right now.
Suggestions
I have not gone over and replicated the issues in each of the underlying libraries and reported issues there yet.
Looking at the open issues in the ncurses library, it looks like there is a lot of security issues open that hasn't been addressed yet: https://github.com/jeaye/ncurses-rs/issues
I would recommend to either switch the default backend to a more safe one, or at least have a warning note about it in the documentation, as cursive lables itself
It is designed to be safe and easy to use
.Environment