xterm/xterm-forbid_window_and_font_ops.patch

# HG changeset patch
# Parent  d5ffae3ffb4d7bccf09feb476eed67e7688d73cf
# forbid dangerous escape sequences (font loading)

Index: xterm-385/XTerm.ad
===================================================================
--- xterm-385.orig/XTerm.ad
+++ xterm-385/XTerm.ad
@@ -269,6 +269,11 @@
 ! Alternatively,
 !*on2Clicks: regex [[:alpha:]]+://([[:alnum:]!#+,./=?@_~-]|(%[[:xdigit:]][[:xdigit:]]))+
 
+! Security: Disallow operations that might allow raw text being pasted to xterm to
+! execute code.
+*allowWindowOps:	false
+*allowFontOps:		false
+
 !! We want a 8bit clean xterm
 *eightBitInput:        true
 *eightBitOutput:       true
Index: xterm-385/xterm.man
===================================================================
--- xterm-385.orig/xterm.man
+++ xterm-385/xterm.man
@@ -2277,7 +2277,7 @@ The default is \*(``true\*(''.
 .TP
 .B "allowFontOps\fP (class\fB AllowFontOps\fP)"
 Specifies whether control sequences that set/query the font should be allowed.
-The default is \*(``true\*(''.
+The default is \*(``false\*(''.
 .TP
 .B "allowMouseOps\fP (class\fB AllowMouseOps\fP)"
 Specifies whether control sequences that enable \fI\*n\fP to send
Accepting request 631631 from home:pcerny:factory - Patch #335 - 2018/08/14 * add colorInnerBorder resource to make a change from patch #334 configurable (reports by H Merijn Brand, Gabriele Balducci). - Patch #334 - 2018/08/12 * modify Imakefile to reflect the fact that NetBSD no longer has a working termcap emulation. * add resource-setting validShells which can be used to augment the system's /etc/shell (prompted by discussion with Paul Lampert). * stifle some useless warnings from lintian in test-packages. * add the ncurses extension “RGB” to the responses for the termcap-query feature. * improved getopts-handling in sample scripts. * fix some warnings from gcc8 and clang --analyze. * update note about incorrect documentation for DECRQSS to include VT525 (report by Markus Schmidt). * correct check for default-values in rectangular parsing; a zero counts as a missing or default parameter (report/testcase by Markus Schmidt). * correct some ranges in the ambiguous[] table in wcwidth (adapted from patch by KUGA Tsutomu). * fix a special case with faint video attribute incorrectly combined with default color. * add private control XTREPORTSGR for reporting video-attributes and color on a rectangle, and script report-sgr.pl to demonstrate it. * modify some of the markup in ctlseqs.ms to work around groff's reassignment of ASCII punctuation characters as documented in groff_char(7). OBS-URL: https://build.opensuse.org/request/show/631631 OBS-URL: https://build.opensuse.org/package/show/X11:terminals/xterm?expand=0&rev=158 2018-08-26 23:45:34 +02:00			`# HG changeset patch`
			`# Parent d5ffae3ffb4d7bccf09feb476eed67e7688d73cf`
Accepting request 176920 from home:pcerny:factory ! temporarily pass gpg verification, since it claims that ! the signature file is inaccessible - Patch #293 - 2013/05/27 * modify sample xterm.spec to use newer icon * add configure option --with-icon-symlink to work around systems which map icon requests for to a single "xterm" icon, but neglect to install the icon needed for window decorations (report by H Merijn Brand). * improve parameterizing of sample xterm.spec * amend fix for printer from patch #280, removing a reset of the signal handler for SIGCHLD (report by Joe Julian). * set environment variable XTERM_FILTER if a locale-filter is used. * enable DEBUG logic when --enable-trace configure option is given. * improve description of initialFont, set-vt-font and set-tex-text in manpage (Debian #707899). * fix regression from patch #292; selecting a word that ended at the right margin without wrapping would not select the last cell (report by Christian Weisgerber). - cleanup of spec file and patches OBS-URL: https://build.opensuse.org/request/show/176920 OBS-URL: https://build.opensuse.org/package/show/X11:terminals/xterm?expand=0&rev=74 2013-05-29 16:46:55 +02:00			`# forbid dangerous escape sequences (font loading)`

Accepting request 1114902 from home:polslinux:branches:X11:terminals - update to 385: * fixes for ReGIS (report by Ben Wong). + correct conversion from HLS to RGB + improve font-caching performance. * update tables in wcwidth.c based on Unicode 15.1.0 * improve fastScroll resource: + suppress screen-refreshes for carriage-returns + add -jf option to simplify use of this resource. + add a control sequence for enabling/disabling the resource. + enable this feature by default * extend title-stack feature to allow an additional parameter to directly access the stack, like the XTPUSHCOLORS and XTPOPCOLORS feature. * correct size and position of box shown for double-cell character which happens to be missing from the bitmap font (report by Peter Fabinski). * improved configure script: + add pattern for uClibc-ng to CF_XOPEN_SOURCE (report/patch by Waldemar Brodkorb). + add configure options --with-utmp-path and --with-wtmp-path to override configure script's check for utmp/wtmp pathnames which are shown in the manual (Debian #1042767). + CF_XOPEN_SOURCE provides for defining _DEFAULT_SOURCE for MinGW32 and MinGW64. + sed expression used to report gcc version now works with MinGW * ensure that line-attributes are reset after drawing missing character (report by Christian Weisgerber). * update config.guess, config.sub - rebased all patches OBS-URL: https://build.opensuse.org/request/show/1114902 OBS-URL: https://build.opensuse.org/package/show/X11:terminals/xterm?expand=0&rev=226 2023-10-03 16:04:15 +02:00			`Index: xterm-385/XTerm.ad`
			`===================================================================`
			`--- xterm-385.orig/XTerm.ad`
			`+++ xterm-385/XTerm.ad`
			`@@ -269,6 +269,11 @@`
Accepting request 176920 from home:pcerny:factory ! temporarily pass gpg verification, since it claims that ! the signature file is inaccessible - Patch #293 - 2013/05/27 * modify sample xterm.spec to use newer icon * add configure option --with-icon-symlink to work around systems which map icon requests for to a single "xterm" icon, but neglect to install the icon needed for window decorations (report by H Merijn Brand). * improve parameterizing of sample xterm.spec * amend fix for printer from patch #280, removing a reset of the signal handler for SIGCHLD (report by Joe Julian). * set environment variable XTERM_FILTER if a locale-filter is used. * enable DEBUG logic when --enable-trace configure option is given. * improve description of initialFont, set-vt-font and set-tex-text in manpage (Debian #707899). * fix regression from patch #292; selecting a word that ended at the right margin without wrapping would not select the last cell (report by Christian Weisgerber). - cleanup of spec file and patches OBS-URL: https://build.opensuse.org/request/show/176920 OBS-URL: https://build.opensuse.org/package/show/X11:terminals/xterm?expand=0&rev=74 2013-05-29 16:46:55 +02:00			`! Alternatively,`
			`!*on2Clicks: regex [[:alpha:]]+://([[:alnum:]!#+,./=?@_~-]\|(%[[:xdigit:]][[:xdigit:]]))+`

			`+! Security: Disallow operations that might allow raw text being pasted to xterm to`
			`+! execute code.`
			`+*allowWindowOps: false`
			`+*allowFontOps: false`
			`+`
			`!! We want a 8bit clean xterm`
			`*eightBitInput: true`
			`*eightBitOutput: true`
Accepting request 1114902 from home:polslinux:branches:X11:terminals - update to 385: * fixes for ReGIS (report by Ben Wong). + correct conversion from HLS to RGB + improve font-caching performance. * update tables in wcwidth.c based on Unicode 15.1.0 * improve fastScroll resource: + suppress screen-refreshes for carriage-returns + add -jf option to simplify use of this resource. + add a control sequence for enabling/disabling the resource. + enable this feature by default * extend title-stack feature to allow an additional parameter to directly access the stack, like the XTPUSHCOLORS and XTPOPCOLORS feature. * correct size and position of box shown for double-cell character which happens to be missing from the bitmap font (report by Peter Fabinski). * improved configure script: + add pattern for uClibc-ng to CF_XOPEN_SOURCE (report/patch by Waldemar Brodkorb). + add configure options --with-utmp-path and --with-wtmp-path to override configure script's check for utmp/wtmp pathnames which are shown in the manual (Debian #1042767). + CF_XOPEN_SOURCE provides for defining _DEFAULT_SOURCE for MinGW32 and MinGW64. + sed expression used to report gcc version now works with MinGW * ensure that line-attributes are reset after drawing missing character (report by Christian Weisgerber). * update config.guess, config.sub - rebased all patches OBS-URL: https://build.opensuse.org/request/show/1114902 OBS-URL: https://build.opensuse.org/package/show/X11:terminals/xterm?expand=0&rev=226 2023-10-03 16:04:15 +02:00			`Index: xterm-385/xterm.man`
			`===================================================================`
			`--- xterm-385.orig/xterm.man`
			`+++ xterm-385/xterm.man`
			@@ -2277,7 +2277,7 @@ The default is \(``true\(''.
Accepting request 176920 from home:pcerny:factory ! temporarily pass gpg verification, since it claims that ! the signature file is inaccessible - Patch #293 - 2013/05/27 * modify sample xterm.spec to use newer icon * add configure option --with-icon-symlink to work around systems which map icon requests for to a single "xterm" icon, but neglect to install the icon needed for window decorations (report by H Merijn Brand). * improve parameterizing of sample xterm.spec * amend fix for printer from patch #280, removing a reset of the signal handler for SIGCHLD (report by Joe Julian). * set environment variable XTERM_FILTER if a locale-filter is used. * enable DEBUG logic when --enable-trace configure option is given. * improve description of initialFont, set-vt-font and set-tex-text in manpage (Debian #707899). * fix regression from patch #292; selecting a word that ended at the right margin without wrapping would not select the last cell (report by Christian Weisgerber). - cleanup of spec file and patches OBS-URL: https://build.opensuse.org/request/show/176920 OBS-URL: https://build.opensuse.org/package/show/X11:terminals/xterm?expand=0&rev=74 2013-05-29 16:46:55 +02:00			`.TP`
Accepting request 433932 from home:pcerny:factory - Patch #326 - 2016/09/25 * updated appdata file (report by Richard Hughes). * improve discussion of the different terminal emulations provided by xterm in the manual page. * add examples of setting the icon title with/without the window title in the manual (Debian #833984). * correct a limit-check when using a numeric value for extended Booleans e.g., fullscreen:3 rather than a name such as fullscreen:never. * add action allow-bold-fonts * improved formatting fixes for manual page, using script to find mismatches in spelling of resources, actions and menu entries. * improve documentation of logging resources. * fix a special case of flickering cursor by adding GraphicsExpose to the list of event types that should not trigger making the mouse cursor visible (patch by Joe Peterson). * correct initialization of line-drawing in VT52-mode, overlooked in changes for patch #297 (report/patch by Ben Wiley Sittler). * minor clarification of form-feed versus line-feed in ctlseqs.ms (suggested by David Kemper). * amend fix for Debian #738794 to restore a check for missing characters which are not combining characters. Also fill in a corresponding special case for TrueType fonts (Debian #827905). - Patch #325 - 2016/06/05 * improve manual page discussion of function keys (discussion OBS-URL: https://build.opensuse.org/request/show/433932 OBS-URL: https://build.opensuse.org/package/show/X11:terminals/xterm?expand=0&rev=140 2016-10-08 18:43:48 +02:00			`.B "allowFontOps\fP (class\fB AllowFontOps\fP)"`
Accepting request 176920 from home:pcerny:factory ! temporarily pass gpg verification, since it claims that ! the signature file is inaccessible - Patch #293 - 2013/05/27 * modify sample xterm.spec to use newer icon * add configure option --with-icon-symlink to work around systems which map icon requests for to a single "xterm" icon, but neglect to install the icon needed for window decorations (report by H Merijn Brand). * improve parameterizing of sample xterm.spec * amend fix for printer from patch #280, removing a reset of the signal handler for SIGCHLD (report by Joe Julian). * set environment variable XTERM_FILTER if a locale-filter is used. * enable DEBUG logic when --enable-trace configure option is given. * improve description of initialFont, set-vt-font and set-tex-text in manpage (Debian #707899). * fix regression from patch #292; selecting a word that ended at the right margin without wrapping would not select the last cell (report by Christian Weisgerber). - cleanup of spec file and patches OBS-URL: https://build.opensuse.org/request/show/176920 OBS-URL: https://build.opensuse.org/package/show/X11:terminals/xterm?expand=0&rev=74 2013-05-29 16:46:55 +02:00			`Specifies whether control sequences that set/query the font should be allowed.`
			-The default is \(``true\(''.
			+The default is \(``false\(''.
Accepting request 528278 from home:pcerny:factory - Patch #330 - 2017/06/20 * updates for ReGIS (Ross Combs): + remove redundant text command error check which broke T(B) and T(E). + retain the loading alphabet number across multiple “L” commands. + add S(T) delay handler. + fix some color handling error messages. + add stubbed-out macrograph handling. + use fragment_remaining() and fragment_consumed() instead of manually checking position / length in various places. + rename some local variables in string / extent / option parsing + wrap some long lines. + move macrograph command handling out of the top-level. * add a summary of the italic fonts loaded to -report-fonts option. * modify the font-lookup for italics to allow for “-i-” if no match is found with slant “-o-” (prompted by patch by Ben Wong). * change default values for mkSamplePass and mkSampleSize to reflect generally-improved locale support in various operating systems (FreeBSD #219800). * modify wcwidth.c to return -1 for non-Unicode values, and adjust a couple of blocks to better match assumptions about ambiguous-width characters in other implementations. Also modify wcwidth.c to support configurable soft-hyphen, so there is no drawback to using this version rather than a system wcwidth. * amend change made in patch #328 for cursor-visibility to OBS-URL: https://build.opensuse.org/request/show/528278 OBS-URL: https://build.opensuse.org/package/show/X11:terminals/xterm?expand=0&rev=146 2017-09-22 14:05:44 +02:00			`.TP`
			`.B "allowMouseOps\fP (class\fB AllowMouseOps\fP)"`
			`Specifies whether control sequences that enable \fI\*n\fP to send`