attempts to parse prompt as Pango markup and displays no text if that fails
xtaran opened this issue · 2 comments
Originally reported in Debian as #568779 for 0.3 back in 2010, but I can be still reproduced in 1.2:
From: mike castleman m@mlcastle.net
Subject: ssh-askpass-fullscreen attempts to parse prompt as markup
Date: Sun, 07 Feb 2010 13:27:54 -0500
Package: ssh-askpass-fullscreen
Version: 0.3-3If you pass a string with angle brackets into it into
ssh-askpass-fullscreen, then it will attempt to parse the string as some
kind of markup. If the parsing fails, then ssh-askpass-fullscreen will
display no prompt at all. This failure to properly display a prompt
leaves the user with no idea what is going on.For example:
mlc@palm:~$ ssh-askpass-fullscreen 'Enter passphrase for <m@mlcastle.net>' (ssh-askpass-fullscreen:17193): Gtk-WARNING **: Failed to set text from markup due to error parsing markup: Error on line 1 char 90: 'm@mlcastle.net' is not a valid name: '@'However, other ssh-askpass implementations (such as ssh-askpass-gnome
and the the canonical ssh-askpass) do not have this markup-parsing
'feature' and so display the provided text without a problem.
ssh-askpass-fullscreen should do the same; otherwise, it violates the
interface assumptions that ssh-askpass has offered for years.
This seems to be due to these lines passing the value of the variable message unescaped into %s:
ssh-askpass-fullscreen/src/ssh-askpass-fullscreen.c
Lines 370 to 371 in 8cae98c
On minimal fix seems to strip out all markup characters with g_strcanon() or similar functions. Better would be probably to convert them to numerical XML escape codes.
P.S.: I've updated the Debian package of ssh-askpass-fullscreen to 1.2 and will upload it soon to Debian Unstable.
Apologies, this got lost in my stream of GitHub emails. I will look into what the best options are to resolve this.
Thanks for maintaining the Debian package.