Skip to content

fix: sanitize terminal escape sequences in HTTP response output#1897

Open
muhamedfazalps wants to merge 1 commit into
httpie:masterfrom
muhamedfazalps:fix/terminal-escape-sanitization
Open

fix: sanitize terminal escape sequences in HTTP response output#1897
muhamedfazalps wants to merge 1 commit into
httpie:masterfrom
muhamedfazalps:fix/terminal-escape-sanitization

Conversation

@muhamedfazalps

Copy link
Copy Markdown

Fixes #1812

A malicious HTTP server could embed ANSI escape codes or OSC sequences in response headers or body text, potentially:

  • Manipulating the terminal display (clearing screen, replacing content with fake output)
  • Changing the terminal title via OSC sequences (\x1b]2;text\x07)
  • Injecting clipboard content on supported terminals (iTerm2, some xterm)
  • Exploiting terminal emulator vulnerabilities (historical CVEs in xterm, iTerm2, Konsole)

This is particularly relevant for HTTPie since it's commonly used in security research and API testing with untrusted servers.

Fix

This PR adds a _sanitize_for_terminal() function that strips terminal control sequences when outputting to a TTY:

  • C0 control chars (except \t, \n, \r): \x00-\x08, \x0b, \x0c, \x0e-\x1f, \x7f
  • CSI sequences: \x1b[... (color codes, cursor movement)
  • OSC sequences: \x1b]...\x07 (title, clipboard)
  • Other ESC sequences: charset selection, etc.

Sanitization is applied to:

  • Response headers (via BaseStream.get_headers())
  • Response body (via EncodedStream.iter_body())
  • Response metadata (via BaseStream.get_metadata())

Only applied when stdout is a TTY — piped/redirected output preserves raw data for scripting.

---\n\nbuymeacoffee.com/muhamedfazalps

A malicious HTTP server could embed ANSI escape codes or OSC sequences
in response headers or body text, potentially:
- Manipulating the terminal display (clearing screen, fake content)
- Changing the terminal title
- Injecting clipboard content on supported terminals
- Exploiting terminal emulator vulnerabilities

This fix strips terminal control sequences when outputting to a TTY,
preventing escape sequence injection attacks. The sanitization is only
applied when stdout is a terminal (not when piped or redirected),
preserving raw output for scripting use cases.

Fixes httpie#1812
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

Terminal escape sequence injection via malicious HTTP response data

1 participant