[GH-ISSUE #718] hex parsing is prone to accepting "+" prefix #975

New issue

Closed

opened 2026-03-15 11:11:26 +03:00 by kerem · 1 comment

kerem commented

2026-03-15 11:11:26 +03:00

Owner

Originally created by @Rudxain on GitHub (Dec 10, 2025).
Original GitHub issue: https://github.com/asciinema/asciinema/issues/718

Pre-submission checks

I have searched existing issues and this bug has not been reported yet
This is a bug report for asciinema CLI (not player or server)

Bug Description

The private fn parse_color has a mistake (rust-lang/rust-clippy#16213) that could allow hex strings like "+a/+b/+c":
github.com/asciinema/asciinema@e5b64815c3/src/tty.rs (L263-L274)

The tests are incomplete:
github.com/asciinema/asciinema@e5b64815c3/src/tty.rs (L293-L316)

Steps to Reproduce

I haven't tested it yet

Expected Behavior

It should reject the plus-signs

Operating System

irrelevant

asciinema CLI Version

commit-hash already included

Installation Method

Built from source

Terminal Information

No response

Additional Context

No response

Originally created by @Rudxain on GitHub (Dec 10, 2025). Original GitHub issue: https://github.com/asciinema/asciinema/issues/718 ### Pre-submission checks - [x] I have searched existing issues and this bug has not been reported yet - [x] This is a bug report for asciinema CLI (not player or server) ### Bug Description The private `fn parse_color` has a mistake (rust-lang/rust-clippy#16213) that could allow hex strings like "+a/+b/+c": https://github.com/asciinema/asciinema/blob/e5b64815c317309dfb6aaefc674417ac749354cc/src/tty.rs#L263-L274 The tests are incomplete: https://github.com/asciinema/asciinema/blob/e5b64815c317309dfb6aaefc674417ac749354cc/src/tty.rs#L293-L316 ### Steps to Reproduce I haven't tested it yet ### Expected Behavior It should reject the plus-signs ### Operating System irrelevant ### asciinema CLI Version commit-hash already included ### Installation Method Built from source ### Terminal Information _No response_ ### Additional Context _No response_

kerem closed this issue

2026-03-15 11:11:31 +03:00

kerem commented

2026-03-15 11:11:37 +03:00

Author

Owner

@ku1ik commented on GitHub (Dec 11, 2025):

Thanks. I can see it being prone to that, but does this actually happen in practice here? I doubt that. The parsing here applies to terminal responses, and it would require explicit + sign in the output of terminal emulator for this to trigger, and I'm pretty sure none of them do this, because why :)

@ku1ik commented on GitHub (Dec 11, 2025): Thanks. I can see it being prone to that, but does this actually happen in practice here? I doubt that. The parsing here applies to terminal responses, and it would require explicit `+` sign in the output of terminal emulator for this to trigger, and I'm pretty sure none of them do this, because why :)