--no-ansi regression

[ktomk]

Since composer/packagist@86244a3 here in #10582 composers global --no-ansi switch does not work properly any longer for the binary sequence that was introduced by that change.

It looks like composer passes this information unchecked and unfiltered into the users shell.

[ktomk]

@Seldaek: Thanks for taking care. While stumbling over it, it is perhaps useful to refuse using any message if it contains one or more NUL bytes - and perhaps everything of C0 (apart what you need for colors as not possible to strip) - just to lower the injection potential into the users shell. You perhaps already thought about it.

[Seldaek]

Let's be honest, if a repository wants to mess with you, it can serve you URLs to packages with malware in them.. so I think we can assume some amount of good-will/trust here.

[ktomk]

Okay, let's be honest: A NUL byte / C0 check would also not turn this into a malware shield. I had more my own terminal messes in mind when injecting control characters than anything else. More error correction than anything else.

So better make the regex pattern filtering out actual ANSI sequences first of all - if anything.