Merge mango#721
Closed
squassina wants to merge 90 commits into
Closed
Conversation
Co-authored-by: squassina <8495707+squassina@users.noreply.github.com>
- Replace unsafe strcpy() with strncpy() in fetch/common.h - Replace unsafe strcpy() with strncpy() in config parsing - Fix buffer overflow from strcat() by adding bounds checking - Fix memory leak by adding wordfree() for wordexp results - Add integer overflow validation for strtol() calls - Add errno checking for all strtol conversions Co-authored-by: squassina <8495707+squassina@users.noreply.github.com>
Co-authored-by: squassina <8495707+squassina@users.noreply.github.com>
- Fix buffer size for strncpy to match actual buffer (32 bytes) - Use strtoul instead of strtol for unsigned color values - Improve strncat bounds checking with accurate length tracking - Free wordexp results immediately after use instead of batching - Add strdup for wordexp strings to avoid use-after-free Co-authored-by: squassina <8495707+squassina@users.noreply.github.com>
Co-authored-by: squassina <8495707+squassina@users.noreply.github.com>
- Add LAYOUT_ABBR_SIZE constant to avoid magic numbers - Track allocated argv entries to properly free on error - Simplify strncat bounds checking using strlen for accuracy - Ensure all allocated memory is freed in error paths Co-authored-by: squassina <8495707+squassina@users.noreply.github.com>
…ze constant Co-authored-by: squassina <8495707+squassina@users.noreply.github.com>
- Remove redundant null termination for short strings - Use descriptive variable names in cleanup loop - Cache strlen results to avoid O(n²) complexity in string concatenation - Add bounds checks before string operations Co-authored-by: squassina <8495707+squassina@users.noreply.github.com>
…README.md Co-authored-by: squassina <8495707+squassina@users.noreply.github.com>
- Add explicit null termination for consistency - Optimize string concatenation to avoid redundant strlen calls - Track actual characters added to maintain O(n) complexity - Improve code clarity with better comments Co-authored-by: squassina <8495707+squassina@users.noreply.github.com>
Co-authored-by: squassina <8495707+squassina@users.noreply.github.com>
Co-authored-by: squassina <8495707+squassina@users.noreply.github.com>
- Use direct character assignment for constant strings - Remove unnecessary tracking array and cleanup code - Simplify string concatenation logic - Fix length calculation to match actual strncat behavior - Code is cleaner and more maintainable Co-authored-by: squassina <8495707+squassina@users.noreply.github.com>
- Use memcpy with pointer arithmetic for safe string concatenation - Track and free allocated strings in spawn error path - Properly account for null terminator in all buffer operations - Eliminate potential buffer overflows from strncat edge cases Co-authored-by: squassina <8495707+squassina@users.noreply.github.com>
Co-authored-by: squassina <8495707+squassina@users.noreply.github.com>
- Use int32_t consistently in all loops - Add zero-length check before memcpy - Improve error detection in strtol (comment clarification) - Ensure null terminator always has space reserved Co-authored-by: squassina <8495707+squassina@users.noreply.github.com>
Improve codebase readability: deduplicate animation code, document macros, translate comments to English
Fix critical security vulnerabilities in string handling and memory management
…-mangowc Comprehensive documentation overhaul for new user onboarding
Co-authored-by: squassina <8495707+squassina@users.noreply.github.com>
Fix documentation inconsistencies in keybindings and configuration
Co-authored-by: squassina <8495707+squassina@users.noreply.github.com>
- Translate comments in src/client/client.h - Translate comments in src/config/parse_config.h - Translate comments in src/data/static_keymap.h - Translate comments in src/dispatch/bind_define.h - Translate comments in src/ext-protocol/*.h - Translate comments in src/fetch/*.h - Translate comments in src/layout/*.h - Translate comments in src/mango.c All Chinese comments have been accurately translated to English while preserving the technical meaning and context. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
…icate Co-authored-by: squassina <8495707+squassina@users.noreply.github.com>
Co-authored-by: squassina <8495707+squassina@users.noreply.github.com>
Co-authored-by: squassina <8495707+squassina@users.noreply.github.com>
Removed AUR installation steps for scenefx from build workflow.
Added steps to install scenefx from AUR in the build workflow.
…flow Add build workflow for CI validation with smart path filtering using Arch Linux
Co-authored-by: squassina <8495707+squassina@users.noreply.github.com>
Co-authored-by: squassina <8495707+squassina@users.noreply.github.com>
…platform Co-authored-by: squassina <8495707+squassina@users.noreply.github.com>
Co-authored-by: squassina <8495707+squassina@users.noreply.github.com>
Add NixOS build pipeline and rename Arch workflow
Co-authored-by: squassina <8495707+squassina@users.noreply.github.com>
…and technical debt tracking Co-authored-by: squassina <8495707+squassina@users.noreply.github.com>
Co-authored-by: squassina <8495707+squassina@users.noreply.github.com>
Co-authored-by: squassina <8495707+squassina@users.noreply.github.com>
…ecurity-performance-clarity Implement code review recommendations: security hardening, i18n, and technical debt tracking
Closes security vulnerabilities and documentation gaps: 1. Remove shell expansion from config-driven exec/exec-once - Eliminate wordexp() usage in spawn() - Add split_argv_noexpand() for safe argument parsing - Change run_exec() and run_exec_once() to use spawn() instead of spawn_shell() - Prevents shell injection and expansion-based DoS 2. Fix null-termination in chvt_backup_selmon - Add explicit null-terminator after strncpy() in chvt() - Prevents out-of-bounds read when used in regex_match() 3. Add regression test - New test_chvt_backup_selmon unit test to verify null-termination logic - Integrate tests into meson.build 4. Translate Chinese comments to English - Update IMPLEMENTATION_SUMMARY.md to remove Chinese text - Improves accessibility for international contributors 5. Update documentation - Update REVIEW_FINDINGS.md with English versions of examples - Remove wordexp include from meson.c headers (no longer needed)
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
No description provided.