mirror of
https://github.com/kovidgoyal/kitty
synced 2026-06-08 22:28:24 +02:00
b39f88c6a2
Timing-safe comparisons: - crypto.c: Replace memcmp with CRYPTO_memcmp for Secret equality, require equal lengths before comparing - remote_control.py: Constant-time password lookup to avoid leaking valid passwords via dict hash timing - file_transmission.py: Use hmac.compare_digest for bypass token comparison instead of == Memory safety: - child-monitor.c: Fix inverted condition in write_to_peer that prevented memmove from ever executing on partial writes - ibus_glfw.c: Null-terminate IBUS_ADDRESS copy to prevent string overread when strlen >= PATH_MAX - x11_window.c: Add NULL checks after realloc in clipboard/DnD data handling (two sites) - dnd.c: Cap accepted_mimes at 1MB to prevent unbounded growth, fix realloc to not lose the original pointer on failure - png-reader.c: Cast to size_t before multiplication to prevent integer overflow on 32-bit platforms Secrets hygiene: - disk-cache.c: Zero encryption_key with explicit_bzero before free Tar extraction hardening: - tar.go: Validate hardlink targets against destination prefix to prevent writing outside extraction directory - tar.go: Strip setuid/setgid/sticky bits from extracted files Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
= kitty - the fast, feature-rich, cross-platform, GPU based terminal If you live in the terminal, *kitty* is made for **you**! See https://sw.kovidgoyal.net/kitty/[the kitty website]. image:https://github.com/kovidgoyal/kitty/workflows/CI/badge.svg["Build status", link="https://github.com/kovidgoyal/kitty/actions?query=workflow%3ACI"] https://sw.kovidgoyal.net/kitty/faq/[Frequently Asked Questions] To ask other questions about kitty usage, use either the https://github.com/kovidgoyal/kitty/discussions/[discussions on GitHub] or the https://www.reddit.com/r/KittyTerminal[Reddit community] Packaging status in various repositories: image:https://repology.org/badge/vertical-allrepos/kitty-terminal.svg?columns=3&header=kitty["Packaging status", link="https://repology.org/project/kitty-terminal/versions"]