atj / ssh-askpass-fullscreen Goto Github PK

Originally reported in Debian as #568779 for 0.3 back in 2010, but I can be still reproduced in 1.2:

From: mike castleman [email protected]
Subject: ssh-askpass-fullscreen attempts to parse prompt as markup
Date: Sun, 07 Feb 2010 13:27:54 -0500
Package: ssh-askpass-fullscreen
Version: 0.3-3

If you pass a string with angle brackets into it into
ssh-askpass-fullscreen, then it will attempt to parse the string as some
kind of markup. If the parsing fails, then ssh-askpass-fullscreen will
display no prompt at all. This failure to properly display a prompt
leaves the user with no idea what is going on.

For example:

mlc@palm:~$ ssh-askpass-fullscreen 'Enter passphrase for <[email protected]>'
(ssh-askpass-fullscreen:17193): Gtk-WARNING **: Failed to set text from markup due to error parsing markup: Error on line 1 char 90: '[email protected]' is not a valid name: '@' 

However, other ssh-askpass implementations (such as ssh-askpass-gnome
and the the canonical ssh-askpass) do not have this markup-parsing
'feature' and so display the provided text without a problem.
ssh-askpass-fullscreen should do the same; otherwise, it violates the
interface assumptions that ssh-askpass has offered for years.

This seems to be due to these lines passing the value of the variable message unescaped into %s:

On minimal fix seems to strip out all markup characters with g_strcanon() or similar functions. Better would be probably to convert them to numerical XML escape codes.

P.S.: I've updated the Debian package of ssh-askpass-fullscreen to 1.2 and will upload it soon to Debian Unstable.

This pertains to both the background and prompt.

As you can see background didn't draw correctly (very visible on the right side of the window and below) and the second prompt was over the first one.

Citing from Debian bug report #967757:

This package has Build-Depends on GTK 2 (libgtk2.0-dev), or produces binary packages with a Depends on GTK 2.

GTK 2 was superseded by GTK 3 in 2011 (see https://bugs.debian.org/947713). It no longer receives any significant upstream maintenance, and in particular does not get feature development for new features like UI scaling on high-pixel-density displays (HiDPI) and native Wayland support. GTK 3 is in maintenance mode and GTK 4 is approaching release, so it seems like a good time to be thinking about
minimizing the amount of GTK 2 in the archive.

GTK 2 is used by some important productivity applications like GIMP, and has also historically been a popular UI toolkit for proprietary software that we can't change, so perhaps removing GTK 2 from Debian will never be feasible. However, it has reached the point where a dependency on it is
a bug - not a release-critical bug, and not a bug that can necessarily be fixed quickly, but a piece of technical debt that maintainers should be aware of.

A porting guide is provided in the GTK 3 documentation: https://developer.gnome.org/gtk3/stable/migrating.html

Some libraries (for example libgtkspell0) expose GTK as part of their API/ABI, in which case removing the deprecated dependency requires breaking API/ABI. For these libraries, in many cases there will already be a corresponding GTK 3 version (for example libgtkspell3-3-0), in which case the GTK 2-based library should probably be deprecated or removed itself. If there is no GTK 3 equivalent, of a GTK 2-based library, maintainers should talk to the dependent library's upstream developers about whether the dependent library should break API/ABI and switch to GTK 3, or whether the dependent library should itself be deprecated or removed.

A few packages extend GTK 2 by providing plugins (theme engines, input methods, etc.) or themes, for example ibus and mate-themes. If these packages deliberately support GTK 2 even though it is deprecated, and they also support GTK 3, then it is appropriate to mark this mass-filed bug as wontfix for now. I have tried to exclude these packages from the mass-bug-filing, but I probably missed some of them.