GNU bug report logs - #62888
[bug] zless will not work when LESSSECURE is set

Previous Next

Package: gzip;

Reported by: Marcus Müller <marcus_gnu <at> hostalia.de>

Date: Sun, 16 Apr 2023 20:12:01 UTC

Severity: normal

To reply to this bug, email your comments to 62888 AT debbugs.gnu.org.

Toggle the display of automated, internal messages from the tracker.

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to bug-gzip <at> gnu.org:
bug#62888; Package gzip. (Sun, 16 Apr 2023 20:12:01 GMT) Full text and rfc822 format available.

Acknowledgement sent to Marcus Müller <marcus_gnu <at> hostalia.de>:
New bug report received and forwarded. Copy sent to bug-gzip <at> gnu.org. (Sun, 16 Apr 2023 20:12:01 GMT) Full text and rfc822 format available.

Message #5 received at submit <at> debbugs.gnu.org (full text, mbox):

From: Marcus Müller <marcus_gnu <at> hostalia.de>
To: bug-gzip <at> gnu.org
Subject: [bug] zless will not work when LESSSECURE is set
Date: Sun, 16 Apr 2023 15:19:12 +0200
Dear Mailing List and esp. Maintainers,

as found out via investigation[1] triggered by the same bug in a different implementation 
of `zless`, gzip's `zless` has a bug:

When you (as is generally kind of not a bad idea to do) have exported LESSSECURE=1, `less` 
will refuse to work with programs passed through

LESSOPEN='|…'

as piped-through processes. Now, that's the central working principle of `zless` [2]:

|LESSOPEN="|$check_exit_status${use_input_pipe_on_stdin}gzip -cdfq -- %s"|

Thus, in environments with reasonable security settings, `less` will not run `gzip`, hence 
will tell the user that "input is a binary file" and try to display the compressed 
original file.

I'd blame `less` a tiny bit for not even informing the user about things being ignored, 
but then again, it's how its always worked.


So, to the unsuspecting user

export LESSSECURE=1 # often done in /etc/profile or similar place
echo "Hello World" > helloworld.txt
gzip helloworld.txt
zless helloworld.txt.gz

will result in

"helloworld.txt.gz" may be a binary file. See it anyway? y
^_<8B>^H^H<8A><EE>;d^@^Chelloworld.txt^@<CB>H<CD><C9><C9><C9>W<E0>^B^@R[|<DB>^H^@^@^@
helloworld.txt.gz (END)

Best regards,
Marcus

[1] 
https://unix.stackexchange.com/questions/743049/issue-viewing-compressed-file-with-zless-but-not-with-zmore-or-gunzip-c#comment1412495_743050+
[2] https://git.savannah.gnu.org/cgit/gzip.git/tree/zless.in#n77





This bug report was last modified 347 days ago.

Previous Next


GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.