itsscb/tracing
1
0
Fork 0
mirror of https://github.com/tokio-rs/tracing.git synced 2025-09-30 06:20:38 +00:00
Code Issues Packages Projects Releases Wiki Activity
tracing/tracing-subscriber
History
Carl Lerche 4c52ca5266
fmt: fix ANSI escape sequence injection vulnerability (#3368) 
Fixes a security vulnerability where ANSI escape sequences in user input
could be injected into terminal output, potentially allowing attackers to
manipulate terminal behavior through log messages and error displays.

The vulnerability occurred when user-controlled content was formatted using
Display (`{}`) instead of Debug (`{:?}`) formatting, allowing raw ANSI
sequences to pass through unescaped.

Changes:
- Add streaming ANSI escape wrapper to avoid string allocations
- Escape message content in default and pretty formatters
- Escape error Display content in all error formatting paths
- Add comprehensive integration tests for all formatter types

The fix specifically targets untrusted user input while preserving the
ability for applications to deliberately include formatting in trusted
contexts like thread names.

Security impact: Prevents terminal injection attacks such as title bar
manipulation, screen clearing, and other malicious terminal control
sequences that could be injected through log messages.
2025-08-29 19:08:48 +00:00
..
benches
chore: track Rust 1.65 clippy lints (#2366)
2023-04-21 16:59:51 -07:00
src
fmt: fix ANSI escape sequence injection vulnerability (#3368)
2025-08-29 19:08:48 +00:00
tests
fmt: fix ANSI escape sequence injection vulnerability (#3368)
2025-08-29 19:08:48 +00:00
Cargo.toml
fmt: fix ANSI escape sequence injection vulnerability (#3368)
2025-08-29 19:08:48 +00:00
CHANGELOG.md
fmt: fix ANSI escape sequence injection vulnerability (#3368)
2025-08-29 19:08:48 +00:00
LICENSE
chore: Include the LICENSE in every crate (#842)
2020-07-23 12:23:04 -07:00
README.md
fix docs and enable CI on main branch (#3295)
2025-06-05 10:15:18 +02:00

README.md

Tracing — Structured, application-level diagnostics

tracing-subscriber

Utilities for implementing and composing tracing subscribers.

[tracing] is a framework for instrumenting Rust programs to collect scoped, structured, and async-aware diagnostics. The Subscriber trait represents the functionality necessary to collect this trace data. This crate contains tools for composing subscribers out of smaller units of behaviour, and batteries-included implementations of common subscriber functionality.

tracing-subscriber is intended for use by both Subscriber authors and application authors using tracing to instrument their applications.

Crates.io Documentation Documentation (v0.2.x) MIT licensed Build Status Discord chat maintenance status

Documentation | Chat

Compiler support: requires rustc 1.65+

Supported Rust Versions

Tracing is built against the latest stable release. The minimum supported version is 1.65. The current Tracing version is not guaranteed to build on Rust versions earlier than the minimum supported version.

Tracing follows the same compiler support policies as the rest of the Tokio project. The current stable Rust compiler and the three most recent minor versions before it will always be supported. For example, if the current stable compiler version is 1.69, the minimum supported version will not be increased past 1.66, three minor versions prior. Increasing the minimum supported compiler version is not considered a semver breaking change as long as doing so complies with this policy.

License

This project is licensed under the MIT license.

Contribution

Unless you explicitly state otherwise, any contribution intentionally submitted for inclusion in Tracing by you, shall be licensed as MIT, without any additional terms or conditions.