Merge branch 'master' into master

Author: Kijju

.github/workflows/dependency-submission.yml

@@ -0,0 +1,23 @@
+name: Automatic Dependency Submission
+
+on:
+  push:
+    branches: [ 'master' ]
+  workflow_dispatch:
+
+permissions:
+  contents: write
+
+jobs:
+  dependency-submission:
+    runs-on: ubuntu-latest
+    steps:
+    - name: Checkout sources
+      uses: actions/checkout@v4
+    - name: Setup Java
+      uses: actions/setup-java@v4
+      with:
+        distribution: 'temurin'
+        java-version: 17
+    - name: Generate and submit dependency graph
+      uses: gradle/actions/dependency-submission@v4

README.md

@@ -49,7 +49,7 @@ The core [Termux](https://github.com/termux/termux-app) app comes with the follo
 
 ## Installation
 
-Latest version is `v0.118.1`.
+Latest version is `v0.118.3`.
 
 **NOTICE: It is highly recommended that you update to `v0.118.0` or higher ASAP for various bug fixes, including a critical world-readable vulnerability reported [here](https://termux.github.io/general/2022/02/15/termux-apps-vulnerability-disclosures.html). See [below](#google-play-store-experimental-branch) for information regarding Termux on Google Play.**
 

SECURITY.md

@@ -0,0 +1 @@
+Check https://termux.dev/security for info on Termux security policies and how to report vulnerabilities.

jitpack.yml

@@ -1,2 +1,4 @@
+jdk:
+  - openjdk11
 env:
   JITPACK_NDK_VERSION: "21.1.6352462"

terminal-emulator/src/main/java/com/termux/terminal/TerminalEmulator.java

@@ -83,6 +83,10 @@ public final class TerminalEmulator {
     private static final int ESC_APC = 20;
     /** Escape processing: "ESC _" or Application Program Command (APC), followed by Escape. */
     private static final int ESC_APC_ESCAPE = 21;
+    /** Escape processing: ESC [ <parameter bytes> */
+    private static final int ESC_CSI_UNSUPPORTED_PARAMETER_BYTE = 22;
+    /** Escape processing: ESC [ <parameter bytes> <intermediate bytes> */
+    private static final int ESC_CSI_UNSUPPORTED_INTERMEDIATE_BYTE = 23;
 
     /** The number of parameter arguments including colon separated sub-parameters. */
     private static final int MAX_ESCAPE_PARAMETERS = 32;
@@ -658,6 +662,10 @@ public void processCodePoint(int b) {
                     case ESC_CSI:
                         doCsi(b);
                         break;
+                    case ESC_CSI_UNSUPPORTED_PARAMETER_BYTE:
+                    case ESC_CSI_UNSUPPORTED_INTERMEDIATE_BYTE:
+                        doCsiUnsupportedParameterOrIntermediateByte(b);
+                        break;
                     case ESC_CSI_EXCLAMATION:
                         if (b == 'p') { // Soft terminal reset (DECSTR, http://vt100.net/docs/vt510-rm/DECSTR).
                             reset();
@@ -1059,6 +1067,37 @@ private int nextTabStop(int numTabs) {
         return mRightMargin - 1;
     }
 
+    /**
+     * Process byte while in the {@link #ESC_CSI_UNSUPPORTED_PARAMETER_BYTE} or
+     * {@link #ESC_CSI_UNSUPPORTED_INTERMEDIATE_BYTE} escape state.
+     *
+     * Parse unsupported parameter, intermediate and final bytes but ignore them.
+     *
+     * > For Control Sequence Introducer, ... the ESC [ is followed by
+     * > - any number (including none) of "parameter bytes" in the range 0x30–0x3F (ASCII 0–9:;<=>?),
+     * > - then by any number of "intermediate bytes" in the range 0x20–0x2F (ASCII space and !"#$%&'()*+,-./),
+     * > - then finally by a single "final byte" in the range 0x40–0x7E (ASCII @A–Z[\]^_`a–z{|}~).
+     *
+     * - https://en.wikipedia.org/wiki/ANSI_escape_code#Control_Sequence_Introducer_commands
+     * - https://invisible-island.net/xterm/ecma-48-parameter-format.html#section5.4
+     */
+    private void doCsiUnsupportedParameterOrIntermediateByte(int b) {
+        if (mEscapeState == ESC_CSI_UNSUPPORTED_PARAMETER_BYTE && b >= 0x30 && b <= 0x3F) {
+            // Supported `0–9:;>?` or unsupported `<=` parameter byte after an
+            // initial unsupported parameter byte in `doCsi()`, or a sequential parameter byte.
+            continueSequence(ESC_CSI_UNSUPPORTED_PARAMETER_BYTE);
+        } else if (b >= 0x20 && b <= 0x2F) {
+            // Optional intermediate byte `!"#$%&'()*+,-./` after parameter or intermediate byte.
+            continueSequence(ESC_CSI_UNSUPPORTED_INTERMEDIATE_BYTE);
+        } else if (b >= 0x40 && b <= 0x7E) {
+            // Final byte `@A–Z[\]^_`a–z{|}~` after parameter or intermediate byte.
+            // Calling `unknownSequence()` would log an error with only a final byte, so ignore it for now.
+            finishSequence();
+        } else {
+            unknownSequence(b);
+        }
+    }
+
     /** Process byte while in the {@link #ESC_CSI_QUESTIONMARK} escape state. */
     private void doCsiQuestionMark(int b) {
         switch (b) {
@@ -1656,12 +1695,16 @@ private void doCsi(int b) {
                     }
                 mCursorCol = newCol;
                 break;
-            case '?': // Esc [ ? -- start of a private mode set
+            case '?': // Esc [ ? -- start of a private parameter byte
                 continueSequence(ESC_CSI_QUESTIONMARK);
                 break;
-            case '>': // "Esc [ >" --
+            case '>': // "Esc [ >" -- start of a private parameter byte
                 continueSequence(ESC_CSI_BIGGERTHAN);
                 break;
+            case '<': // "Esc [ <" -- start of a private parameter byte
+            case '=': // "Esc [ =" -- start of a private parameter byte
+                continueSequence(ESC_CSI_UNSUPPORTED_PARAMETER_BYTE);
+                break;
             case '`': // Horizontal position absolute (HPA - http://www.vt100.net/docs/vt510-rm/HPA).
                 setCursorColRespectingOriginMode(getArg0(1) - 1);
                 break;

termux-shared/build.gradle

@@ -3,6 +3,7 @@ apply plugin: 'maven-publish'
 
 android {
     compileSdkVersion project.properties.compileSdkVersion.toInteger()
+    ndkVersion = System.getenv("JITPACK_NDK_VERSION") ?: project.properties.ndkVersion
 
     dependencies {
         implementation "androidx.appcompat:appcompat:1.3.1"
@@ -14,7 +15,7 @@ android {
         implementation "io.noties.markwon:ext-strikethrough:$markwonVersion"
         implementation "io.noties.markwon:linkify:$markwonVersion"
         implementation "io.noties.markwon:recycler:$markwonVersion"
-        implementation "org.lsposed.hiddenapibypass:hiddenapibypass:5.0"
+        implementation "org.lsposed.hiddenapibypass:hiddenapibypass:6.1"
 
         // Do not increment version higher than 1.0.0-alpha09 since it will break ViewUtils and needs to be looked into
         // noinspection GradleDependency

termux-shared/src/main/java/com/termux/shared/models/ReportInfo.java

@@ -1,5 +1,7 @@
 package com.termux.shared.models;
 
+import androidx.annotation.Keep;
+
 import com.termux.shared.markdown.MarkdownUtils;
 import com.termux.shared.android.AndroidUtils;
 
@@ -10,6 +12,25 @@
  */
 public class ReportInfo implements Serializable {
 
+    /**
+     * Explicitly define `serialVersionUID` to prevent exceptions on deserialization.
+     *
+     * Like when calling `Bundle.getSerializable()` on Android.
+     * `android.os.BadParcelableException: Parcelable encountered IOException reading a Serializable object` (name = <class_name>)
+     * `java.io.InvalidClassException: <class_name>; local class incompatible`
+     *
+     * The `@Keep` annotation is necessary to prevent the field from being removed by proguard when
+     * app is compiled, even if its kept during library compilation.
+     *
+     * **See Also:**
+     * - https://docs.oracle.com/javase/8/docs/platform/serialization/spec/version.html#a6678
+     * - https://docs.oracle.com/javase/8/docs/platform/serialization/spec/class.html#a4100
+     */
+    @Keep
+    private static final long serialVersionUID = 1L;
+
+
+
     /** The user action that was being processed for which the report was generated. */
     public final String userAction;
     /** The internal app component that sent the report. */

termux-shared/src/main/java/com/termux/shared/models/TextIOInfo.java

@@ -3,6 +3,7 @@
 import android.graphics.Color;
 import android.graphics.Typeface;
 
+import androidx.annotation.Keep;
 import androidx.annotation.NonNull;
 
 import com.termux.shared.activities.TextIOActivity;
@@ -19,6 +20,25 @@
  */
 public class TextIOInfo implements Serializable {
 
+    /**
+     * Explicitly define `serialVersionUID` to prevent exceptions on deserialization.
+     *
+     * Like when calling `Bundle.getSerializable()` on Android.
+     * `android.os.BadParcelableException: Parcelable encountered IOException reading a Serializable object` (name = <class_name>)
+     * `java.io.InvalidClassException: <class_name>; local class incompatible`
+     *
+     * The `@Keep` annotation is necessary to prevent the field from being removed by proguard when
+     * app is compiled, even if its kept during library compilation.
+     *
+     * **See Also:**
+     * - https://docs.oracle.com/javase/8/docs/platform/serialization/spec/version.html#a6678
+     * - https://docs.oracle.com/javase/8/docs/platform/serialization/spec/class.html#a4100
+     */
+    @Keep
+    private static final long serialVersionUID = 1L;
+
+
+
     public static final int GENERAL_DATA_SIZE_LIMIT_IN_BYTES = 1000;
     public static final int LABEL_SIZE_LIMIT_IN_BYTES = 4000;
     public static final int TEXT_SIZE_LIMIT_IN_BYTES = 100000 - GENERAL_DATA_SIZE_LIMIT_IN_BYTES - LABEL_SIZE_LIMIT_IN_BYTES; // < 100KB