GNU bug report logs - #69445
Grep poorly handles ansi characters in filename match

Previous Next

Package: grep;

Reported by: sjf5462 <at> rit.edu

Date: Wed, 28 Feb 2024 01:53:01 UTC

Severity: normal

To reply to this bug, email your comments to 69445 AT debbugs.gnu.org.

Toggle the display of automated, internal messages from the tracker.

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to bug-grep <at> gnu.org:
bug#69445; Package grep. (Wed, 28 Feb 2024 01:53:01 GMT) Full text and rfc822 format available.

Acknowledgement sent to sjf5462 <at> rit.edu:
New bug report received and forwarded. Copy sent to bug-grep <at> gnu.org. (Wed, 28 Feb 2024 01:53:02 GMT) Full text and rfc822 format available.

Message #5 received at submit <at> debbugs.gnu.org (full text, mbox):

From: "Skyler Ferrante (RIT Student)" <sjf5462 <at> rit.edu>
To: bug-grep <at> gnu.org
Subject: Grep poorly handles ansi characters in filename match
Date: Tue, 27 Feb 2024 20:18:08 -0500
Hello,

When grep prints filenames (such as in grep -r), it does not seem to
check for ansi escape sequences.

Reproduce:
```
filename=$(printf "\033[33;1;4myello_underline\033[0m")
echo hi > $filename
grep -r "hi" .
```

If you squint, this could be seen as a security risk, but I think it's
probably not. An attacker could hide logs when searched with grep if
they could create files with arbitrary names in a directory a user
might search. There's also the issue of bad terminals that allow
command execution from escape sequences. I'll let you decide if it
should get a CVE/marked as a security issue or not.

I did not see any prior bug reports of this, hopefully this isn't
something you already know about.

Cheers,
Skyler




This bug report was last modified 304 days ago.

Previous Next


GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.