GNU bug report logs -
#69445
Grep poorly handles ansi characters in filename match
Previous Next
To reply to this bug, email your comments to 69445 AT debbugs.gnu.org.
Toggle the display of automated, internal messages from the tracker.
Report forwarded
to
bug-grep <at> gnu.org
:
bug#69445
; Package
grep
.
(Wed, 28 Feb 2024 01:53:01 GMT)
Full text and
rfc822 format available.
Acknowledgement sent
to
sjf5462 <at> rit.edu
:
New bug report received and forwarded. Copy sent to
bug-grep <at> gnu.org
.
(Wed, 28 Feb 2024 01:53:02 GMT)
Full text and
rfc822 format available.
Message #5 received at submit <at> debbugs.gnu.org (full text, mbox):
Hello,
When grep prints filenames (such as in grep -r), it does not seem to
check for ansi escape sequences.
Reproduce:
```
filename=$(printf "\033[33;1;4myello_underline\033[0m")
echo hi > $filename
grep -r "hi" .
```
If you squint, this could be seen as a security risk, but I think it's
probably not. An attacker could hide logs when searched with grep if
they could create files with arbitrary names in a directory a user
might search. There's also the issue of bad terminals that allow
command execution from escape sequences. I'll let you decide if it
should get a CVE/marked as a security issue or not.
I did not see any prior bug reports of this, hopefully this isn't
something you already know about.
Cheers,
Skyler
This bug report was last modified 269 days ago.
Previous Next
GNU bug tracking system
Copyright (C) 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson.