Be more strict about what names and titles we allow and reject them

immediately when possible, but allow # again for those directly set by commands (but not escape sequences). From Barrett Ruth in GitHub issue 5175.
2026-06-20 17:25:57 +00:00 · 2026-06-15 21:41:39 +00:00
parent b86bd1fcd0
commit eb65331403
17 changed files with 144 additions and 81 deletions
--- a/screen.c
+++ b/screen.c
@@ -232,11 +232,14 @@ screen_set_cursor_colour(struct screen *s, int colour)

 /* Set screen title. */
 int
-screen_set_title(struct screen *s, const char *title)
+screen_set_title(struct screen *s, const char *title, int untrusted)
 {
 	char	*new_title;

-	new_title = clean_name(title, "#");
+	if (untrusted)
+		new_title = clean_name(title, "#");
+	else
+		new_title = clean_name(title, "");
 	if (new_title == NULL)
 		return (0);
 	free(s->title);
@@ -246,11 +249,14 @@ screen_set_title(struct screen *s, const char *title)

 /* Set screen path. */
 int
-screen_set_path(struct screen *s, const char *path)
+screen_set_path(struct screen *s, const char *path, int untrusted)
 {
 	char	*new_path;

-	new_path = clean_name(path, "#");
+	if (untrusted)
+		new_path = clean_name(path, "#");
+	else
+		new_path = clean_name(path, "");
 	if (new_path == NULL)
 		return (0);
 	free(s->path);