CERBERUS/kitty
1
0
Fork 0
mirror of https://github.com/kovidgoyal/kitty.git synced 2026-05-13 16:37:27 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 3
kitty/tools/utils
History
z3rco b39f88c6a2 Fix multiple security vulnerabilities across C, Python, and Go code 
Timing-safe comparisons:
- crypto.c: Replace memcmp with CRYPTO_memcmp for Secret equality,
  require equal lengths before comparing
- remote_control.py: Constant-time password lookup to avoid leaking
  valid passwords via dict hash timing
- file_transmission.py: Use hmac.compare_digest for bypass token
  comparison instead of ==

Memory safety:
- child-monitor.c: Fix inverted condition in write_to_peer that
  prevented memmove from ever executing on partial writes
- ibus_glfw.c: Null-terminate IBUS_ADDRESS copy to prevent string
  overread when strlen >= PATH_MAX
- x11_window.c: Add NULL checks after realloc in clipboard/DnD
  data handling (two sites)
- dnd.c: Cap accepted_mimes at 1MB to prevent unbounded growth,
  fix realloc to not lose the original pointer on failure
- png-reader.c: Cast to size_t before multiplication to prevent
  integer overflow on 32-bit platforms

Secrets hygiene:
- disk-cache.c: Zero encryption_key with explicit_bzero before free

Tar extraction hardening:
- tar.go: Validate hardlink targets against destination prefix to
  prevent writing outside extraction directory
- tar.go: Strip setuid/setgid/sticky bits from extracted files

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-04-03 16:10:46 +01:00
..
base85 run modernize 2025-11-11 17:09:37 +05:30
humanize run modernize 2025-11-11 17:09:37 +05:30
images Resize method should not use bounds 2025-11-17 12:59:04 +05:30
paths
random
secrets
shlex
style Modernize Go code 2026-03-21 08:41:47 +05:30
atexit.go Add integration test for go atexit implementation 2025-09-30 12:37:25 +05:30
atomic-write.go
cache.go
cached_values.go
clock_with_raw.go
clock_without_raw.go
colors.go
download_file.go
embed.go
filelock.go
filelock_test.go
hostname.go
io.go
iso8601.go
iso8601_test.go
levenshtein.go
longest-common.go run modernize 2025-11-11 17:09:37 +05:30
longest-common_test.go
mimetypes.go
misc.go Move error handling code into its own library 2025-10-12 13:51:16 +05:30
passwd.go
passwd_test.go
paths.go choose files: Add a few more output formats 2025-11-26 21:13:57 +05:30
regexp.go
ring.go
ring_test.go
select.go
select_posix.go
select_without_pselect.go
set.go
shell.go
short-uuid.go run modernize 2025-11-11 17:09:37 +05:30
short-uuid_test.go
sockets.go
sockets_test.go
stream_decompressor.go
stream_decompressor_test.go
strings.go Modernize Go code 2026-03-21 08:41:47 +05:30
strings_test.go
tar.go Fix multiple security vulnerabilities across C, Python, and Go code 2026-04-03 16:10:46 +01:00
tar_test.go
tmpfile_linux.go
tmpfile_others.go
tpmfile_test.go
types.go
unsafe.go
utf-8.go
which.go