Create SECURITY.md

2025-07-16 12:39:38 +08:00 · 2023-07-27 13:21:11 +01:00
13 changed files with 38 additions and 44 deletions
--- a/.github/workflows/branches.yml
+++ b/.github/workflows/branches.yml
@ -19,7 +19,7 @@ jobs:
    # Steps represent a sequence of tasks that will be executed as part of the job
    steps:
      # Checks-out the repository under $GITHUB_WORKSPACE, so the job can access it
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v3
        with:
          fetch-depth: 0 # fetch all history for all branches and tags

--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@ -11,7 +11,7 @@ on:
    tags:
      - "v*"
  pull_request:
-    branches: [ "master", "development" ]
+    branches: [ "master" ]

 #---------------------------------#
 #    environment configuration    #
@ -35,12 +35,12 @@ jobs:
      discussions: write
    steps:
    - name: Check out repository code (Action from GitHub)
-      uses: actions/checkout@v4
+      uses: actions/checkout@v3
      with:
        fetch-depth: 0

    - name: Add MSBuild to PATH
-      uses: microsoft/setup-msbuild@v2
+      uses: microsoft/setup-msbuild@v1

    - name: Build Cmder Launcher
      shell: pwsh
@ -53,32 +53,32 @@ jobs:
      run: .\pack.ps1 -verbose

    - name: Upload artifact (cmder.zip)
-      uses: actions/upload-artifact@v4
+      uses: actions/upload-artifact@v3
      with:
        path: build/cmder.zip
        name: cmder.zip
        if-no-files-found: error

    - name: Upload artifact (cmder.7z)
-      uses: actions/upload-artifact@v4
+      uses: actions/upload-artifact@v3
      with:
        path: build/cmder.7z
        name: cmder.7z

    - name: Upload artifact (cmder_mini.zip)
-      uses: actions/upload-artifact@v4
+      uses: actions/upload-artifact@v3
      with:
        path: build/cmder_mini.zip
        name: cmder_mini.zip

    - name: Upload artifact (hashes.txt)
-      uses: actions/upload-artifact@v4
+      uses: actions/upload-artifact@v3
      with:
        path: build/hashes.txt
        name: hashes.txt

    - name: Create Release
-      uses: softprops/action-gh-release@v2
+      uses: softprops/action-gh-release@v1
      with:
        files: |
          build/cmder.zip
--- a/.github/workflows/codeql.yml
+++ b/.github/workflows/codeql.yml
@ -8,7 +8,7 @@ name: "CodeQL"

 on:
  push:
-    branches: [ "master", "development" ]
+    branches: [ "master" ]
    paths-ignore:
      - '**/*.md'
      - '**/*.txt'
@ -16,7 +16,7 @@ on:
      - '**/.gitignore'
  pull_request:
    # The branches below must be a subset of the branches above
-    branches: [ "master", "development" ]
+    branches: [ "master" ]
    paths-ignore:
      - '**/*.md'
      - '**/*.txt'
@ -45,11 +45,11 @@ jobs:

    steps:
    - name: Checkout repository
-      uses: actions/checkout@v4
+      uses: actions/checkout@v3

    # Initializes the CodeQL tools for scanning.
    - name: Initialize CodeQL
-      uses: github/codeql-action/init@v3
+      uses: github/codeql-action/init@v2
      with:
        languages: ${{ matrix.language }}
        # If you wish to specify custom queries, you can do so here or in a config file.
@ -60,7 +60,7 @@ jobs:
        # queries: security-extended,security-and-quality

    - name: Add MSBuild to PATH
-      uses: microsoft/setup-msbuild@v2
+      uses: microsoft/setup-msbuild@v1

    - name: Build Cmder Launcher
      shell: pwsh
@ -68,6 +68,6 @@ jobs:
      run: .\build.ps1 -Compile -verbose

    - name: Perform CodeQL Analysis
-      uses: github/codeql-action/analyze@v3
+      uses: github/codeql-action/analyze@v2
      with:
        category: "/language:${{matrix.language}}"
--- a/.github/workflows/tests.yml
+++ b/.github/workflows/tests.yml
@ -4,7 +4,6 @@ on:
  push:
    branches:
      - master
-      - development
    paths-ignore:
      - '**/*.md'
      - '**/*.txt'
@ -13,7 +12,6 @@ on:
  pull_request:
    branches:
      - master
-      - development
    paths-ignore:
      - '**/*.md'
      - '**/*.txt'
@ -38,7 +36,7 @@ jobs:
    continue-on-error: false

    steps:
-    - uses: actions/checkout@v4
+    - uses: actions/checkout@v3
    - name: Initialize vendors
      shell: pwsh
      working-directory: scripts
--- a/.github/workflows/vendor.yml
+++ b/.github/workflows/vendor.yml
@ -24,7 +24,7 @@ jobs:
      pull-requests: write

    steps:
-    - uses: actions/checkout@v4
+    - uses: actions/checkout@v3
      with:
        fetch-depth: 0

@ -51,7 +51,7 @@ jobs:
          Set-GHVariable -Name LIST_UPDATED -Value $listUpdated.Trim(', ')
          echo "UPDATE_MESSAGE<<<EOF`n$updateMessage`n<EOF" | Out-File -FilePath $env:GITHUB_ENV -Append -Encoding utf8

-    - uses: peter-evans/create-pull-request@v6
+    - uses: peter-evans/create-pull-request@v5
      if: env.COUNT_UPDATED > 0
      with:
        title: 'Updates to `${{ env.COUNT_UPDATED }}` vendored dependencies'
--- a/SECURITY.md
+++ b/SECURITY.md
@ -9,16 +9,14 @@

 ## Reporting a Vulnerability

-If you discover a security issue in our project, please report it to [MartiUK](https://github.com/MartiUK). We will acknowledge your email within 24 hours and provide a more detailed response within 48 hours. We will try to fix the issue as soon as possible and inform you when a new version is released.
+Please report any vulnerabilities to [MartiUK](https://github.com/MartiUK).

 Please include as much of the information listed below as you can to help us better understand and resolve the issue:

- The nature of the issue
- The affected source file(s) with full paths
- The location of the vulnerable code (tag/branch/commit or direct URL)
- Any special configuration needed to reproduce the issue
- Detailed steps to reproduce the issue
- Proof-of-concept or exploit code (if possible)
- The impact of the issue, including how an attacker could exploit it
-
-Please do not disclose the vulnerability publicly until we have resolved it.
+The type of issue
+Full paths of source file(s) related to the manifestation of the issue
+The location of the affected source code (tag/branch/commit or direct URL)
+Any special configuration required to reproduce the issue
+Step-by-step instructions to reproduce the issue
+Proof-of-concept or exploit code (if possible)
+Impact of the issue, including how an attacker might exploit the issue
--- a/launcher/src/CmderLauncher.cpp
+++ b/launcher/src/CmderLauncher.cpp
@ -469,6 +469,9 @@ void StartCmder(std::wstring  path = L"", bool is_single_mode = false, std::wstr
 		MessageBox(NULL, _T("Unable to create the ConEmu process!"), _T("Error"), MB_OK);
 		return;
 	}
+
+	LRESULT lr = SendMessageTimeout(HWND_BROADCAST, WM_SETTINGCHANGE, 0, (LPARAM)"Environment", SMTO_ABORTIFHUNG | SMTO_NOTIMEOUTIFNOTHUNG, 5000, NULL);
+	lr = SendMessageTimeout(HWND_BROADCAST, WM_SETTINGCHANGE, 0, (LPARAM)L"Environment", SMTO_ABORTIFHUNG | SMTO_NOTIMEOUTIFNOTHUNG, 5000, NULL); // For Windows >= 8
 }

 bool IsUserOnly(std::wstring opt)
--- a/launcher/src/version.rc2.sample
+++ b/launcher/src/version.rc2.sample
@ -1,7 +1,7 @@

 /**
 * WARNING: do NOT modify this file! the content of this file should be
- *          automatically generated before AppVeyor builds using the
+ *          automatically genereted before AppVeyor builds using the
 *          respective .ps1 Powershell scripts.
 *
 */
--- a/scripts/build.ps1
+++ b/scripts/build.ps1
@ -79,7 +79,7 @@ if ($Compile) {

    Write-Verbose "Building the launcher..."

-    # Reference: https://docs.microsoft.com/visualstudio/msbuild/msbuild-command-line-reference
+    # Referene: https://docs.microsoft.com/visualstudio/msbuild/msbuild-command-line-reference
    msbuild CmderLauncher.vcxproj /t:Clean,Build /p:configuration=Release /m

    if ($LastExitCode -ne 0) {
--- a/vendor/bin/cmder_shell.cmd
+++ b/vendor/bin/cmder_shell.cmd
@ -9,5 +9,5 @@ if "%cmder_init%" == "1" (
 )

 pushd "%CMDER_ROOT%"
-call "%CMDER_ROOT%\vendor\init.bat" /f %*
+call "%CMDER_ROOT%\vendor\init.bat" /f
 popd
--- a/vendor/clink_settings.default
+++ b/vendor/clink_settings.default
@ -1,10 +1,6 @@
 # For explanation of these and other settings see:
 # https://chrisant996.github.io/clink/clink.html

-# name: Expand envvars when completing
-# type: boolean
-match.expand_envvars = True
-
 # name: Sets how command history expansion is applied
 # type: enum
 # options: off,on,not_squoted,not_dquoted,not_quoted
--- a/vendor/lib/lib_git.cmd
+++ b/vendor/lib/lib_git.cmd
@ -55,7 +55,6 @@ exit /b
            set "GIT_VERSION=%%C"
        ) else (
            echo "'git --version' returned an improper version string!"
-            %print_debug% :read_version "returned string: '%%A %%B %%C' by executable path: %git_executable%"
            pause
            exit /b
        )
--- a/vendor/sources.json
+++ b/vendor/sources.json
@ -1,13 +1,13 @@
 [
  {
    "name": "git-for-windows",
-    "version": "2.45.1.windows.1",
-    "url": "https://github.com/git-for-windows/git/releases/download/v2.45.1.windows.1/PortableGit-2.45.1-64-bit.7z.exe"
+    "version": "2.41.0.windows.3",
+    "url": "https://github.com/git-for-windows/git/releases/download/v2.41.0.windows.3/PortableGit-2.41.0.3-64-bit.7z.exe"
  },
  {
    "name": "clink",
-    "version": "1.6.14",
-    "url": "https://github.com/chrisant996/clink/releases/download/v1.6.14/clink.1.6.14.93b83f.zip"
+    "version": "1.5.1",
+    "url": "https://github.com/chrisant996/clink/releases/download/v1.5.1/clink.1.5.1.1e9e51.zip"
  },
  {
    "name": "conemu-maximus5",
@ -16,7 +16,7 @@
  },
  {
    "name": "clink-completions",
-    "version": "0.5.2",
-    "url": "https://github.com/vladimir-kotikov/clink-completions/archive/v0.5.2.zip"
+    "version": "0.4.10",
+    "url": "https://github.com/vladimir-kotikov/clink-completions/archive/v0.4.10.zip"
  }
 ]