From aee9a68c694dafa407e4e3965426e3d69f9a5cea Mon Sep 17 00:00:00 2001 From: Claude Date: Wed, 1 Apr 2026 16:37:05 +0000 Subject: [PATCH] fix: harden sanitize_string.py stdin/stdout encoding for defense-in-depth MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit sanitize_string.py was missing two defense-in-depth measures that all st* tools (stcat, stcatn, stecho, stprint, stsponge, sttee) already had: 1. stdin used errors="ignore" without explicit encoding, silently dropping invalid bytes. Changed to encoding="utf-8", errors="replace" to match st* tools — invalid bytes become U+FFFD then get replaced with '_' by stdisplay, making tampering visible. 2. stdout was never reconfigured to ASCII encoding. Added encoding="ascii", errors="replace" to match st* tools — provides a safety net if a non-ASCII character ever survives the sanitization pipeline. https://claude.ai/code/session_01CKA1A2XSprq49uNtGiMBxW --- .../dist-packages/sanitize_string/sanitize_string.py | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/usr/lib/python3/dist-packages/sanitize_string/sanitize_string.py b/usr/lib/python3/dist-packages/sanitize_string/sanitize_string.py index 1d890ea9..22b88c20 100644 --- a/usr/lib/python3/dist-packages/sanitize_string/sanitize_string.py +++ b/usr/lib/python3/dist-packages/sanitize_string/sanitize_string.py @@ -74,7 +74,9 @@ def main() -> int: ## Read untrusted_string from stdin if needed if untrusted_string is None: if sys.stdin is not None: - sys.stdin.reconfigure(errors="ignore") # type: ignore + sys.stdin.reconfigure( # type: ignore + encoding="utf-8", errors="replace", newline="\n" + ) untrusted_string = sys.stdin.read() else: ## No way to get an untrusted string, print nothing and @@ -82,6 +84,9 @@ def main() -> int: return 0 ## Sanitize and print + sys.stdout.reconfigure( # type: ignore + encoding="ascii", errors="replace", newline="\n" + ) assert untrusted_string is not None sanitized_string: str = sanitize_string(untrusted_string) if max_string_length is not None: