Always do a roundtrip at kitten exit, except for special purpose
kittens. This slows down exit by one round trip time (capped at 2
seconds), however it ensures that we never get terminal response leak.
Fixes#9839
Timing-safe comparisons:
- crypto.c: Replace memcmp with CRYPTO_memcmp for Secret equality,
require equal lengths before comparing
- remote_control.py: Constant-time password lookup to avoid leaking
valid passwords via dict hash timing
- file_transmission.py: Use hmac.compare_digest for bypass token
comparison instead of ==
Memory safety:
- child-monitor.c: Fix inverted condition in write_to_peer that
prevented memmove from ever executing on partial writes
- ibus_glfw.c: Null-terminate IBUS_ADDRESS copy to prevent string
overread when strlen >= PATH_MAX
- x11_window.c: Add NULL checks after realloc in clipboard/DnD
data handling (two sites)
- dnd.c: Cap accepted_mimes at 1MB to prevent unbounded growth,
fix realloc to not lose the original pointer on failure
- png-reader.c: Cast to size_t before multiplication to prevent
integer overflow on 32-bit platforms
Secrets hygiene:
- disk-cache.c: Zero encryption_key with explicit_bzero before free
Tar extraction hardening:
- tar.go: Validate hardlink targets against destination prefix to
prevent writing outside extraction directory
- tar.go: Strip setuid/setgid/sticky bits from extracted files
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Add --allow-fallback option to the map command that controls shifted
and ascii (alternate_key) fallback for individual key mappings.
For non-Latin keyboard layouts, when the current layout key is
non-ascii (codepoint > 127 and < 0xE000), the alternate_key from
the base layout is used for matching if the mapping opts in via
--allow-fallback=shifted,ascii.
Default kitty bindings use --allow-fallback=shifted,ascii so they
work out of the box with non-Latin layouts. User custom mappings
default to --allow-fallback=shifted (preserving existing shifted_key
behavior without ascii fallback).
--allow-fallback=none disables all fallback for a mapping.
Python side: parse_options_for_map() in options/utils.py handles flag
parsing, ShortcutMapping uses it in __init__. get_shortcut() filters
candidates by per-mapping allow_fallback.
Go side: ParseMap() handles --allow-fallback, KeyAction stores
AllowFallback, ShortcutTracker.Match passes it to matching.
MatchesParsedShortcut defaults to shifted,ascii for hardcoded shortcuts.
Migrated kittens (themes, command_palette, diff, choose_files) to
use ShortcutTracker with configurable map entries.
Tests added for Python (5 test methods) and Go (ParseMap + key matching).
