Skip to content

Fix terminal escape sequence injection via HTTP response data#1817

Open
eddieran wants to merge 2 commits into
httpie:masterfrom
eddieran:fix/terminal-escape-sanitization
Open

Fix terminal escape sequence injection via HTTP response data#1817
eddieran wants to merge 2 commits into
httpie:masterfrom
eddieran:fix/terminal-escape-sanitization

Conversation

@eddieran
Copy link
Copy Markdown

@eddieran eddieran commented Apr 14, 2026

Summary

Fixes #1812 — Terminal escape sequence injection via HTTP response data.

A malicious HTTP server can embed ANSI escape sequences in response headers or body to manipulate the user's terminal when HTTPie displays the output. This can be used to:

  • Set the terminal window title (OSC 0)
  • Inject clipboard content (OSC 52)
  • Move the cursor to overwrite previously displayed content (CSI H)
  • Clear the screen (CSI J)
  • Reset the terminal (ESC c)

Fix

Added httpie/output/sanitize.py with a sanitize_output() function that strips dangerous terminal control sequences from output bytes while preserving:

  • Safe whitespace: \t, \n, \r
  • SGR color codes (ESC [ ... m) used by HTTPie's own syntax highlighting

The sanitization is applied in write_stream() and write_stream_with_colors_win() only when output is to a TTY (stdout_isatty=True). Piped/redirected output is left untouched so raw data is preserved for scripts.

What is stripped

Sequence type Example Purpose
OSC sequences ESC ] 0;title BEL Window title, clipboard manipulation
Non-SGR CSI sequences ESC [ 2 J, ESC [ 1;1 H Screen clear, cursor movement
Single-char escapes ESC c Terminal reset
Dangerous C0 chars BEL, BS, VT, FF, DEL Bell, backspace, etc.

Files changed

  • httpie/output/sanitize.py — New module with sanitize_output() function
  • httpie/output/writer.py — Apply sanitization when writing to TTY
  • tests/test_terminal_sanitize.py — 19 tests (14 unit + 5 integration)

Test plan

  • All 19 new tests pass
  • All 137 existing output/stream tests pass (0 regressions)
  • Manual test: printf 'HTTP/1.1 200\r\nX-Evil: \x1b]0;pwned\x07\r\n\r\nbody' | nc -l 8888 then http localhost:8888 — terminal title should not change

eddieran added 2 commits April 14, 2026 13:30
@eddieran
Sanitize terminal escape sequences in TTY output
ddc88c9 
Strip dangerous terminal control sequences (OSC, non-SGR CSI, C0 control
chars) from HTTP response output when writing to a TTY.  This prevents
malicious servers from injecting escape codes that manipulate the terminal
title, clipboard, cursor position, or display.

Sanitization is only applied to TTY output — piped/redirected output is
left untouched to preserve raw data for scripts.

HTTPie's own SGR color sequences (ESC [ ... m) are preserved so syntax
highlighting continues to work normally.

Fixes httpie#1812
@eddieran
style: remove unused pytest import to fix flake8 F401
2bdf368
@eddieran
Copy link
Copy Markdown
Author

eddieran commented May 31, 2026

Heads-up on the red CI: the two failing jobs are test_encoding.py::test_terminal_output_{response,request}_charset_detection[big5-...], and they're not caused by this change.

I checked out the PR's base commit (5b604c3, none of my changes) and ran the same test in the same env — it fails identically there:

assert '卷首卷首…' in 'HTTP/1.1 200 OK…뻥솤뻥솤…'

It's charset_normalizer (3.4.7 here) detecting the big5 sample as euc-kr/cp949, so the round-trip produces Korean glyphs instead of the expected Chinese. The test data hasn't changed on master since 2024, so any PR built on a runner with a recent charset_normalizer will trip it.

This PR's own additions (tests/test_terminal_sanitize.py) pass. The sanitizer only touches the byte stream on TTY output and never sees ESC/C0 bytes inside big5 sequences, so it doesn't affect charset detection. Happy to pin charset_normalizer in a separate PR if that'd help unblock the suite.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Terminal escape sequence injection via malicious HTTP response data

1 participant

@eddieran