mirror of
https://github.com/kovidgoyal/kitty.git
synced 2026-05-13 16:37:27 +00:00
b39f88c6a2
Timing-safe comparisons: - crypto.c: Replace memcmp with CRYPTO_memcmp for Secret equality, require equal lengths before comparing - remote_control.py: Constant-time password lookup to avoid leaking valid passwords via dict hash timing - file_transmission.py: Use hmac.compare_digest for bypass token comparison instead of == Memory safety: - child-monitor.c: Fix inverted condition in write_to_peer that prevented memmove from ever executing on partial writes - ibus_glfw.c: Null-terminate IBUS_ADDRESS copy to prevent string overread when strlen >= PATH_MAX - x11_window.c: Add NULL checks after realloc in clipboard/DnD data handling (two sites) - dnd.c: Cap accepted_mimes at 1MB to prevent unbounded growth, fix realloc to not lose the original pointer on failure - png-reader.c: Cast to size_t before multiplication to prevent integer overflow on 32-bit platforms Secrets hygiene: - disk-cache.c: Zero encryption_key with explicit_bzero before free Tar extraction hardening: - tar.go: Validate hardlink targets against destination prefix to prevent writing outside extraction directory - tar.go: Strip setuid/setgid/sticky bits from extracted files Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> |
||
|---|---|---|
| .. | ||
| cli | ||
| cmd | ||
| config | ||
| crypto | ||
| disk_cache | ||
| fzf | ||
| highlight | ||
| icons | ||
| ignorefiles | ||
| rsync | ||
| simdstring | ||
| themes | ||
| tty | ||
| tui | ||
| unicode_names | ||
| utils | ||
| vt | ||
| wcswidth | ||
| README.rst | ||
This folder contains library and utility code for the various "kittens". Small terminal programs compiled statically for doing things like kitty remote control, icat etc. These are often re-implementations of earlier kittens that were written in Python.