Add safeUriSchemes setting (#20207 )

This adds a `safeUriSchemes` global setting which lets you define hyperlink URI schemes which the user considers safe. No confirmation dialog will be shown when trying to open hyperlinks which use these schemes. - This solves the root issue, but doesn't introduce any UI or documentation changes. I wanted to validate the approach and implementation with you first. - I closely followed the code handling the `disabledProfileSources` setting, which is of the same type. - This feature does not change the behavior of `http`, `https` and `file` schemes. Validation I ran the dev terminal, and tested the behavior by clicking on `vscode` hyperlinks generated by ripgrep with various `safeUriSchemes` settings: - Setting not defined - asks for confirmation - `["vscode"]` - does not ask for confirmation - `["foo", "vscode"]` - does not ask for confirmation - `["foo"]` - asks for confirmation - `null` - asks for confirmation - `[]` - asks for confirmation - `[""]` - asks for confirmation - `[{"foo": "bar"}]` - fails to deserialize (as expected) A few uinit tests failed, but they seem unrelated to these changes: - `KeyBindingTests` in `UnitTests_SettingsModel`, probably because I use an AZERTY keyboard. - A few `Conhost` tests, but I didn't touch this part Refs #20065 Closes #20191 (cherry picked from commit fb71a0462e) Service-Card-Id: PVTI_lADOAF3p4s4BQX0-zgshlaI Service-Version: 1.25
sixel: prevent allocating an absurd amount of memory or writing OOB (#20213 )
2026-05-18 01:00:00 +00:00 · 2026-05-12 16:40:01 -05:00 · 2026-05-12 11:22:29 -05:00 · 2026-05-12 11:22:28 -05:00 · 2026-05-12 11:22:26 -05:00 · 2026-05-12 11:22:24 -05:00
16 changed files with 96 additions and 28 deletions
--- a/doc/cascadia/profiles.schema.json
+++ b/doc/cascadia/profiles.schema.json
@@ -2470,6 +2470,13 @@
          },
          "type": "array"
        },
+        "safeUriSchemes": {
+          "description": "Specifies a list of URI schemes that are considered safe. No confirmation will be required to open URIs with these schemes.",
+          "items": {
+            "type": "string"
+          },
+          "type": "array"
+        },
        "rendering.graphicsAPI": {
          "description": "Direct3D 11 provides a more performant and feature-rich experience, whereas Direct2D is more stable. The default option \"Automatic\" will pick the API that best fits your graphics hardware. If you experience significant issues, consider using Direct2D.",
          "type": "string",
--- a/src/cascadia/TerminalApp/AppActionHandlers.cpp
+++ b/src/cascadia/TerminalApp/AppActionHandlers.cpp
@@ -499,8 +499,8 @@ namespace winrt::TerminalApp::implementation
            }
            else
            {
-                _ResizePane(realArgs.ResizeDirection());
-                args.Handled(true);
+                const auto resizeSucceeded = _ResizePane(realArgs.ResizeDirection());
+                args.Handled(resizeSucceeded);
            }
        }
    }
--- a/src/cascadia/TerminalApp/Tab.cpp
+++ b/src/cascadia/TerminalApp/Tab.cpp
@@ -844,14 +844,14 @@ namespace winrt::TerminalApp::implementation
    // Arguments:
    // - direction: The direction to move the separator in.
    // Return Value:
-    // - <none>
-    void Tab::ResizePane(const ResizeDirection& direction)
+    // - whether a pane was resized
+    bool Tab::ResizePane(const ResizeDirection& direction)
    {
        ASSERT_UI_THREAD();

        // NOTE: This _must_ be called on the root pane, so that it can propagate
        // throughout the entire tree.
-        _rootPane->ResizePane(direction);
+        return _rootPane->ResizePane(direction);
    }

    // Method Description:
--- a/src/cascadia/TerminalApp/Tab.h
+++ b/src/cascadia/TerminalApp/Tab.h
@@ -53,7 +53,7 @@ namespace winrt::TerminalApp::implementation
                                                                                                        const float splitSize,
                                                                                                        winrt::Windows::Foundation::Size availableSpace) const;

-        void ResizePane(const winrt::Microsoft::Terminal::Settings::Model::ResizeDirection& direction);
+        bool ResizePane(const winrt::Microsoft::Terminal::Settings::Model::ResizeDirection& direction);
        bool NavigateFocus(const winrt::Microsoft::Terminal::Settings::Model::FocusDirection& direction);
        bool SwapPane(const winrt::Microsoft::Terminal::Settings::Model::FocusDirection& direction);
        bool FocusPane(const uint32_t id);
--- a/src/cascadia/TerminalApp/TerminalPage.cpp
+++ b/src/cascadia/TerminalApp/TerminalPage.cpp
@@ -2791,14 +2791,15 @@ namespace winrt::TerminalApp::implementation
    // Arguments:
    // - direction: The direction to move the separator in.
    // Return Value:
-    // - <none>
-    void TerminalPage::_ResizePane(const ResizeDirection& direction)
+    // - whether a pane was resized
+    bool TerminalPage::_ResizePane(const ResizeDirection& direction)
    {
        if (const auto tabImpl{ _GetFocusedTabImpl() })
        {
            _UnZoomIfNeeded();
-            tabImpl->ResizePane(direction);
+            return tabImpl->ResizePane(direction);
        }
+        return false;
    }

    // Method Description:
@@ -3197,13 +3198,15 @@ namespace winrt::TerminalApp::implementation
        return true;
    }

-    bool TerminalPage::_IsUriConsideredSomewhatSafe(const winrt::Windows::Foundation::Uri& parsedUri)
+    bool TerminalPage::_IsUriConsideredSomewhatSafe(const winrt::Windows::Foundation::Uri& parsedUri) const
    {
-        if (parsedUri.SchemeName() == L"http" || parsedUri.SchemeName() == L"https")
+        const auto& schemeName = parsedUri.SchemeName();
+
+        if (schemeName == L"http" || schemeName == L"https")
        {
            return true;
        }
-        if (parsedUri.SchemeName() == L"file")
+        if (schemeName == L"file")
        {
            static const auto pathext{ wil::TryGetEnvironmentVariableW<std::wstring>(L"PATHEXT") };
            const auto filename = parsedUri.Path();
@@ -3217,6 +3220,16 @@ namespace winrt::TerminalApp::implementation

            return true;
        }
+        if (const auto& safeSchemes = _settings.GlobalSettings().SafeUriSchemes())
+        {
+            for (const auto& scheme : safeSchemes)
+            {
+                if (til::equals_insensitive_ascii(schemeName, scheme))
+                {
+                    return true;
+                }
+            }
+        }

        return false;
    }
--- a/src/cascadia/TerminalApp/TerminalPage.h
+++ b/src/cascadia/TerminalApp/TerminalPage.h
@@ -412,7 +412,7 @@ namespace winrt::TerminalApp::implementation
                        const Microsoft::Terminal::Settings::Model::SplitDirection splitType,
                        const float splitSize,
                        std::shared_ptr<Pane> newPane);
-        void _ResizePane(const Microsoft::Terminal::Settings::Model::ResizeDirection& direction);
+        bool _ResizePane(const Microsoft::Terminal::Settings::Model::ResizeDirection& direction);
        void _ToggleSplitOrientation();

        void _ScrollPage(ScrollDirection scrollDirection);
@@ -424,7 +424,7 @@ namespace winrt::TerminalApp::implementation

        safe_void_coroutine _OpenHyperlinkHandler(const IInspectable sender, const Microsoft::Terminal::Control::OpenHyperlinkEventArgs eventArgs);
        static bool _IsUriSupported(const winrt::Windows::Foundation::Uri& parsedUri);
-        static bool _IsUriConsideredSomewhatSafe(const winrt::Windows::Foundation::Uri& parsedUri);
+        bool _IsUriConsideredSomewhatSafe(const winrt::Windows::Foundation::Uri& parsedUri) const;

        void _ShowCouldNotOpenDialog(winrt::hstring reason, winrt::hstring uri);
        bool _CopyText(bool dismissSelection, bool singleLine, bool withControlSequences, Microsoft::Terminal::Control::CopyFormat formats);
--- a/src/cascadia/TerminalCore/Terminal.cpp
+++ b/src/cascadia/TerminalCore/Terminal.cpp
@@ -98,7 +98,6 @@ void Terminal::UpdateSettings(ICoreSettings settings)
    _answerbackMessage = settings.AnswerbackMessage();
    _wordDelimiters = settings.WordDelimiters();
    _suppressApplicationTitle = settings.SuppressApplicationTitle();
-    _startingTitle = settings.StartingTitle();
    _trimBlockSelection = settings.TrimBlockSelection();
    _autoMarkPrompts = settings.AutoMarkPrompts();
    _rainbowSuggestions = settings.RainbowSuggestions();
@@ -124,6 +123,11 @@ void Terminal::UpdateSettings(ICoreSettings settings)
    // Save the changes made above and in UpdateAppearance as the new default render settings.
    GetRenderSettings().SaveDefaultSettings();

+    if (!_startingTitle)
+    {
+        _startingTitle = settings.StartingTitle();
+    }
+
    if (!_startingTabColor && settings.StartingTabColor())
    {
        _startingTabColor = settings.StartingTabColor().Value();
--- a/src/cascadia/TerminalCore/Terminal.hpp
+++ b/src/cascadia/TerminalCore/Terminal.hpp
@@ -349,7 +349,7 @@ private:
    ::Microsoft::Console::VirtualTerminal::TerminalInput _terminalInput;

    std::optional<std::wstring> _title;
-    std::wstring _startingTitle;
+    std::optional<std::wstring> _startingTitle;
    std::optional<til::color> _startingTabColor;

    std::vector<til::point_span> _searchHighlights;
--- a/src/cascadia/TerminalCore/TerminalApi.cpp
+++ b/src/cascadia/TerminalCore/TerminalApi.cpp
@@ -91,8 +91,12 @@ void Terminal::SetWindowTitle(const std::wstring_view title)
    _assertLocked();
    if (!_suppressApplicationTitle)
    {
-        _title.emplace(title.empty() ? _startingTitle : title);
-        _pfnTitleChanged(_title.value());
+        _title.reset();
+        if (!title.empty())
+        {
+            _title.emplace(title);
+        }
+        _pfnTitleChanged(GetConsoleTitle());
    }
 }

@@ -112,6 +116,13 @@ bool Terminal::ResizeWindow(const til::CoordType width, const til::CoordType hei
        return false;
    }

+    const auto currentDimensions = _GetMutableViewport().Dimensions();
+
+    if (width == currentDimensions.width && height == currentDimensions.height)
+    {
+        return false;
+    }
+
    if (_pfnWindowSizeChanged)
    {
        _pfnWindowSizeChanged(width, height);
--- a/src/cascadia/TerminalCore/terminalrenderdata.cpp
+++ b/src/cascadia/TerminalCore/terminalrenderdata.cpp
@@ -184,11 +184,18 @@ void Terminal::SelectNewRegion(const til::point coordStart, const til::point coo
 std::wstring_view Terminal::GetConsoleTitle() const noexcept
 {
    _assertLocked();
-    if (_title.has_value())
+
+    if (_title)
    {
        return *_title;
    }
-    return _startingTitle;
+
+    if (_startingTitle)
+    {
+        return *_startingTitle;
+    }
+
+    return {};
 }

 // Method Description:
--- a/src/cascadia/TerminalSettingsModel/GlobalAppSettings.cpp
+++ b/src/cascadia/TerminalSettingsModel/GlobalAppSettings.cpp
@@ -102,6 +102,14 @@ winrt::com_ptr<GlobalAppSettings> GlobalAppSettings::Copy() const
            globals->_DisabledProfileSources->Append(src);
        }
    }
+    if (_SafeUriSchemes)
+    {
+        globals->_SafeUriSchemes = winrt::single_threaded_vector<hstring>();
+        for (const auto& src : *_SafeUriSchemes)
+        {
+            globals->_SafeUriSchemes->Append(src);
+        }
+    }

    for (const auto& parent : _parents)
    {
--- a/src/cascadia/TerminalSettingsModel/GlobalAppSettings.idl
+++ b/src/cascadia/TerminalSettingsModel/GlobalAppSettings.idl
@@ -107,6 +107,7 @@ namespace Microsoft.Terminal.Settings.Model
        INHERITABLE_SETTING(Boolean, EnableUnfocusedAcrylic);
        INHERITABLE_SETTING(Boolean, AllowHeadless);
        INHERITABLE_SETTING(String, SearchWebDefaultQueryUrl);
+        INHERITABLE_SETTING(IVector<String>, SafeUriSchemes);

        Windows.Foundation.Collections.IMapView<String, ColorScheme> ColorSchemes();
        void AddColorScheme(ColorScheme scheme);
--- a/src/cascadia/TerminalSettingsModel/MTSMSettings.h
+++ b/src/cascadia/TerminalSettingsModel/MTSMSettings.h
@@ -63,6 +63,7 @@ Author(s):
    X(bool, MinimizeToNotificationArea, "minimizeToNotificationArea", false)                                                                                                                          \
    X(bool, AlwaysShowNotificationIcon, "alwaysShowNotificationIcon", false)                                                                                                                          \
    X(winrt::Windows::Foundation::Collections::IVector<winrt::hstring>, DisabledProfileSources, "disabledProfileSources", nullptr)                                                                    \
+    X(winrt::Windows::Foundation::Collections::IVector<winrt::hstring>, SafeUriSchemes, "safeUriSchemes", nullptr)                                                                                    \
    X(bool, ShowAdminShield, "showAdminShield", true)                                                                                                                                                 \
    X(bool, TrimPaste, "trimPaste", true)                                                                                                                                                             \
    X(bool, EnableColorSelection, "experimental.enableColorSelection", false)                                                                                                                         \
--- a/src/cascadia/UnitTests_SettingsModel/SerializationTests.cpp
+++ b/src/cascadia/UnitTests_SettingsModel/SerializationTests.cpp
@@ -461,6 +461,7 @@ namespace SettingsModelUnitTests
            "$schema" : "https://aka.ms/terminal-profiles-schema",
            "defaultProfile": "{61c54bbd-1111-5271-96e7-009a87ff44bf}",
            "disabledProfileSources": [ "Windows.Terminal.Wsl" ],
+            "safeUriSchemes": [ "vscode" ],
            "newTabMenu":
            [
                {
--- a/src/cascadia/WindowsTerminal/WindowEmperor.cpp
+++ b/src/cascadia/WindowsTerminal/WindowEmperor.cpp
@@ -97,9 +97,8 @@ static const uint8_t* deserializeString(const uint8_t* it, const uint8_t* end, w
    uint32_t len;
    it = deserializeUint32(it, end, len);

-    const auto bytes = static_cast<size_t>(len) * sizeof(wchar_t);
-
-    if (bytes == 0 || static_cast<size_t>(end - it) < bytes)
+    size_t bytes{};
+    if (!SUCCEEDED(SizeTMult(static_cast<size_t>(len), sizeof(wchar_t), &bytes)) || bytes == 0 || static_cast<size_t>(end - it) < bytes)
    {
        throw std::out_of_range("Not enough data for string content");
    }
--- a/src/terminal/adapter/SixelParser.cpp
+++ b/src/terminal/adapter/SixelParser.cpp
@@ -90,7 +90,15 @@ std::function<bool(wchar_t)> SixelParser::DefineImage(const VTInt macroParameter
        _state = States::Normal;
        _parameters.clear();
        return [&](const auto ch) {
-            _parseCommandChar(ch);
+            try
+            {
+                _parseCommandChar(ch);
+            }
+            catch (...)
+            {
+                // Ignore all further content.
+                return false;
+            }
            return true;
        };
    }
@@ -234,10 +242,18 @@ void SixelParser::_executeNextLine()
    _executeCarriageReturn();
    _imageLineCount++;
    _maybeFlushImageBuffer();
-    _imageCursor.y += _sixelHeight;
-    _availablePixelHeight -= _sixelHeight;
-    _resizeImageBuffer(_sixelHeight);
-    _fillImageBackgroundWhenScrolled();
+    // If we don't have any available pixel height, that means the image has
+    // extended beyond the bottom of the display and we haven't triggered a
+    // a scroll (because sixel display mode is enabled). In this state, there
+    // is no point in extending the image any further, because the additional
+    // content will never be seen, so we'll just be wasting memory.
+    if (_availablePixelHeight > 0)
+    {
+        _imageCursor.y += _sixelHeight;
+        _availablePixelHeight -= _sixelHeight;
+        _resizeImageBuffer(_sixelHeight);
+        _fillImageBackgroundWhenScrolled();
+    }
 }

 void SixelParser::_executeMoveToHome()
Author	SHA1	Message	Date
Lucas Trzesniewski	8214f66a61	Add `safeUriSchemes` setting (#20207 ) This adds a `safeUriSchemes` global setting which lets you define hyperlink URI schemes which the user considers safe. No confirmation dialog will be shown when trying to open hyperlinks which use these schemes. - This solves the root issue, but doesn't introduce any UI or documentation changes. I wanted to validate the approach and implementation with you first. - I closely followed the code handling the `disabledProfileSources` setting, which is of the same type. - This feature does not change the behavior of `http`, `https` and `file` schemes. Validation I ran the dev terminal, and tested the behavior by clicking on `vscode` hyperlinks generated by ripgrep with various `safeUriSchemes` settings: - Setting not defined - asks for confirmation - `["vscode"]` - does not ask for confirmation - `["foo", "vscode"]` - does not ask for confirmation - `["foo"]` - asks for confirmation - `null` - asks for confirmation - `[]` - asks for confirmation - `[""]` - asks for confirmation - `[{"foo": "bar"}]` - fails to deserialize (as expected) A few uinit tests failed, but they seem unrelated to these changes: - `KeyBindingTests` in `UnitTests_SettingsModel`, probably because I use an AZERTY keyboard. - A few `Conhost` tests, but I didn't touch this part Refs #20065 Closes #20191 (cherry picked from commit `fb71a0462e`) Service-Card-Id: PVTI_lADOAF3p4s4BQX0-zgshlaI Service-Version: 1.25	2026-05-12 16:40:01 -05:00
Dustin L. Howett	b0e4be7abd	sixel: prevent allocating an absurd amount of memory or writing OOB (#20213 ) This commit implements two fixes for the integer overflow/out-of-bounds write reported in #20149. First, it catches any exception generated in sixel char processing (which will prevent `out_of_memory` or `bad_alloc` from being ignored sight-unseen, and will prevent the consumption of further DCS content). Second, it prevents us from allocating memory for an image which will never be displayed (because it exceeds the height of the display.) This supersedes prior work in #20153 for the same issues. Closes #20149 Closes #20153 Co-authored-by: James Holderness <j4_james@hotmail.com> (cherry picked from commit `c829d4ca54`) Service-Card-Id: PVTI_lADOAF3p4s4BQX0-zgrY_zQ Service-Version: 1.25	2026-05-12 11:22:29 -05:00
Dustin L. Howett	da1c5597cd	Only set startingTitle once, clear up title fallback handling (#20214 ) This commit ensures that we only set the starting title once when we open a new terminal pane. It also consolidates all title selection into Terminal::GetConsoleTitle, which is now used in the TitleChanged event. TitleChanged no longer stores a separate copy of the starting title if an application attempts to _clear_ the title; that seems like a poorer implementation of what we already had. This supersedes work in #20204. Closes #19340 Closes #20204 Co-authored-by: imsh <im.shaedar@gmail.com> (cherry picked from commit `b991eb048e`) Service-Card-Id: PVTI_lADOAF3p4s4BQX0-zgmWldU Service-Version: 1.25	2026-05-12 11:22:28 -05:00
Dustin L. Howett	f49bcdd43a	Reject DTTERM Window Manipulation resizes with the current size (#20183 ) This may help #20182 and #20112 Closes #19310 (cherry picked from commit `3e3b3ad883`) Service-Card-Id: PVTI_lADOAF3p4s4BQX0-zgr3jGM Service-Version: 1.25	2026-05-12 11:22:26 -05:00
nmurrell07	f4e232190d	fix(resizePane): Mark as handled only when resize succeeds (#20001 ) This fix addresses issue #19983 where resizePane actions unconditionally consume keystrokes even when no resize can occur. The fix follows the same pattern used for moveFocus and swapPane fixes: - Changed Tab::ResizePane to return bool indicating success - Changed TerminalPage::_ResizePane to return bool from ResizePane - Updated _HandleResizePane to set args.Handled() based on whether resize succeeded This allows the keychord to propagate to the terminal when no resize can occur, matching the behavior of moveFocus and swapPane (#6129). Closes #19983 --------- Co-authored-by: nmurrell07 <nmurrell07@users.noreply.github.com> Co-authored-by: Dustin L. Howett <dustin@howett.net> (cherry picked from commit `dadde2fb11`) Service-Card-Id: PVTI_lADOAF3p4s4BQX0-zgr4epg Service-Version: 1.25	2026-05-12 11:22:24 -05:00
Dustin L. Howett	dc2e98f576	Don't allow overflowing lengths in WM_COPYDATA (#20185 ) It is possible to craft a packet whose `len` is `0x80000001`. We should not produce values that do not fit in size_t (on e.g. x86). Reject them summarily. (cherry picked from commit `8edac5fb12`) Service-Card-Id: PVTI_lADOAF3p4s4BQX0-zgr4enI Service-Version: 1.25	2026-05-12 11:22:22 -05:00