Do not silently change invalid names given to commands. by barrettruth · Pull Request #5175 · tmux/tmux

barrettruth · 2026-06-08T12:42:11Z

use nicholas's solution: reject invalid session, window names instead of rewrite: add check_name and use it everywhere a command takes a name (session, window, pane title, buffer).

there's no way to reject escape sequences and automatic renames so those still modify silently,

2 open questions here:

buffer names keep forbid="" (from 746dd91), so {#,:,.} are still allowed in them and only control chars get rejected. in other words, buffers end up reject-consistent but not character-level consistent with sessions/windows. lmk if you want to rather forbid # in buffers too
i normalized error messages as follows - this alright with you?

invalid session name: %s
invalid session group name: %s
invalid window name: %s
invalid pane title: %s
invalid buffer name: %s

nicm · 2026-06-08T15:17:56Z

Thanks. I think buffer names may as well not be allowed to contain # as well. . and : are OK.

barrettruth · 2026-06-08T16:06:54Z

Thanks, just fixed.

nicm · 2026-06-09T08:58:57Z

OK the idea is good but I think we need to change check_name. I don't think it should reject names that utf8_stravis will sort out, it is fine to silently let that happen.

So I think it would be better to change check_name not to call clean_name and instead just check for forbidden characters itself?

barrettruth · 2026-06-09T20:40:21Z

fixed. lmk if you want the empty + utf8_isvalid rejection moved out of check_name

nicm · 2026-06-09T21:58:37Z

Hmm. Maybe we are going too far with this.

The reason for forbidding : and . is because tmux uses them itself for targets, so I think forbidding them in session and window names is probably fine. IIRC we have not allowed them in session names for years.

# is a bit trickier... it just seems a bit unexpected to suddenly start forbidding it.

The idea of removing it is that something in a pane could use an escape sequence to rename a window or change a pane title to contain #(foo) and if that was then evaluated in the status line, foo could be executed.

But that only applies to escape sequences. There is no security boundary with commands - anything that could run tmux renamew '#(foo)' could equally well just run foo itself directly. So there is no requirement to remove # from a name set with rename-window.

So perhaps we should allow # unless the name or title came from an escape sequence?

That is easy enough for session and paste buffer names but all window names go into window_set_name and pane titles into screen_set_title so they would be a little more complicated.

Or maybe the whole thing is silly and aside from escape sequences we just allow commands to set anything and clean away only invalid UTF-8? If someone creates a session called :.0 then they won't be able to target it, but does that matter?

What do you think?

barrettruth · 2026-06-09T23:54:00Z

Agreed. I reverted it to only reject : and . in session and window names and leave #, pane titles, and buffers as before.

nicm · 2026-06-10T08:28:52Z

This isn't enough because window_set_name and screen_set_title still replace # so even though you can set them with rename-window they will be removed.

They should be allowed from rename-window/select-pane/automatic-rename but forbidden from input.c.

And the check/clean calls should match for each.

barrettruth · 2026-06-10T19:43:12Z

sorry for the back and forth. fixed it at the root (window_set_name and screen_set_title now take a forbid set). # is only stripped from escape sequences and kept from rename-window/select-pane/automatic-rename. this is what you were looking for, correct?

nicm · 2026-06-10T21:14:18Z

A couple of them look off. I asked ChatGPT to summarise them against what the rules should be. I took a quick look and it seems not to be lying:

Class/source	Calling function	Desired set	PR does	Result
Command session name	cmd_new_session_exec, cmd_rename_session_exec	:.	:.	OK
Command session group name	cmd_new_session_exec	:.	:.	OK
Command window name	cmd_new_session_exec, cmd_new_window_exec, cmd_rename_window_exec, cmd_break_pane_exec	:.	:.	OK
Command pane title	cmd_select_pane_exec	empty	empty	OK
Command buffer name	paste_set, paste_rename via cmd_set_buffer_exec	empty	empty	OK
Escape-seq pane title	input_exit_osc, input_exit_apc → screen_set_title	#	#	OK
Escape-seq window name	input_exit_rename → window_set_name	:.#	#	Wrong
Automatic window rename	check_window_name → window_set_name	:.	empty	Wrong
Default window name from argv/shell	default_window_name → parse_window_name	:.	empty	Wrong
Spawned window final storage	spawn_window	:.	:.	OK

Here are the rules:

Class	Command	Escape sequence
Session names	:.	:.#
Window names	:.	:.#
Buffer names	empty	#
Pane titles	empty	#

barrettruth marked this pull request as ready for review June 8, 2026 12:55

barrettruth force-pushed the fix/reject-invalid-command-names branch from ef3b46a to 0474444 Compare June 8, 2026 12:59

barrettruth marked this pull request as draft June 8, 2026 12:59

barrettruth marked this pull request as ready for review June 8, 2026 13:29

mgrant0 added this to All Issues & PRs Jun 8, 2026

github-project-automation Bot moved this to Backlog in All Issues & PRs Jun 8, 2026

barrettruth force-pushed the fix/reject-invalid-command-names branch from 0474444 to ed06b88 Compare June 8, 2026 16:06

barrettruth marked this pull request as draft June 8, 2026 16:06

barrettruth marked this pull request as ready for review June 8, 2026 16:06

nicm moved this from Not Started to In Progress in All Issues & PRs Jun 9, 2026

barrettruth force-pushed the fix/reject-invalid-command-names branch from ed06b88 to 779a4b2 Compare June 9, 2026 20:38

barrettruth force-pushed the fix/reject-invalid-command-names branch from 779a4b2 to a2c907d Compare June 9, 2026 23:51

Do not silently change invalid names given to commands.

a930ddf

barrettruth force-pushed the fix/reject-invalid-command-names branch from a2c907d to a930ddf Compare June 10, 2026 19:36

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Do not silently change invalid names given to commands.#5175

Do not silently change invalid names given to commands.#5175
barrettruth wants to merge 1 commit into
tmux:masterfrom
barrettruth:fix/reject-invalid-command-names

barrettruth commented Jun 8, 2026 •

edited

Loading

Uh oh!

nicm commented Jun 8, 2026

Uh oh!

barrettruth commented Jun 8, 2026

Uh oh!

nicm commented Jun 9, 2026

Uh oh!

barrettruth commented Jun 9, 2026

Uh oh!

nicm commented Jun 9, 2026 •

edited

Loading

Uh oh!

barrettruth commented Jun 9, 2026

Uh oh!

nicm commented Jun 10, 2026

Uh oh!

barrettruth commented Jun 10, 2026

Uh oh!

nicm commented Jun 10, 2026 •

edited

Loading

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

3 participants

Uh oh!

Conversation

barrettruth commented Jun 8, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

nicm commented Jun 8, 2026

Uh oh!

barrettruth commented Jun 8, 2026

Uh oh!

nicm commented Jun 9, 2026

Uh oh!

barrettruth commented Jun 9, 2026

Uh oh!

nicm commented Jun 9, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

barrettruth commented Jun 9, 2026

Uh oh!

nicm commented Jun 10, 2026

Uh oh!

barrettruth commented Jun 10, 2026

Uh oh!

nicm commented Jun 10, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

3 participants

barrettruth commented Jun 8, 2026 •

edited

Loading

nicm commented Jun 9, 2026 •

edited

Loading

nicm commented Jun 10, 2026 •

edited

Loading