From debbugs-submit-bounces@debbugs.gnu.org Tue Feb 27 20:52:54 2024 Received: (at submit) by debbugs.gnu.org; 28 Feb 2024 01:52:55 +0000 Received: from localhost ([127.0.0.1]:48335 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1rf97t-0001OD-Rg for submit@debbugs.gnu.org; Tue, 27 Feb 2024 20:52:54 -0500 Received: from lists.gnu.org ([209.51.188.17]:33306) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1rf8ax-000808-1J for submit@debbugs.gnu.org; Tue, 27 Feb 2024 20:18:51 -0500 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1rf8aW-0006Aa-3r for bug-grep@gnu.org; Tue, 27 Feb 2024 20:18:24 -0500 Received: from mx03c-out01ag.rit.edu ([129.21.10.181]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1rf8aU-0005bI-Iv for bug-grep@gnu.org; Tue, 27 Feb 2024 20:18:23 -0500 DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=rit.edu; i=@rit.edu; q=dns/txt; s=rit1608; t=1709083102; x=1740619102; h=mime-version:reply-to:from:date:message-id:subject:to; bh=2OkzbRobtpxoPsEIkpNGstAKytT3hG8PYQ60mTd8twg=; b=yu7JMqKNF7gqx3exGLqIBYqw7RsLMar+XoaJkcyuh7lR4jVPj5613jfW hvSyq5Npi8Or9kyWtRqYV127XYT7K0GqXRWiWqiTUb/extLvyjA3X/1Wv z+Ad6ePN/vsMYRL/PNFfWkQ6erFMB6ytoB0Dh0AXjHFvBZCCglvO19jj9 s=; X-CSE-ConnectionGUID: NqhPPuhLQeGG1eldEiZ2sA== X-CSE-MsgGUID: PIgCfmLQQLKKTm+ZbX0EPQ== X-RIT-HAT: Undetermined X-RIT-GSuite: Yes X-RIT-GoogleWorkspace: Yes X-IronPort-AV: E=Sophos;i="6.06,189,1705381200"; d="scan'208";a="196614202" Received: from mail-il1-f198.google.com ([209.85.166.198]) by mx03c-in01c.rit.edu with ESMTP/TLS/ECDHE-RSA-AES128-GCM-SHA256; 27 Feb 2024 20:18:19 -0500 Received: by mail-il1-f198.google.com with SMTP id e9e14a558f8ab-3657cf730a0so51321465ab.2 for ; Tue, 27 Feb 2024 17:18:19 -0800 (PST) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1709083099; x=1709687899; h=to:subject:message-id:date:from:reply-to:mime-version :x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=2OkzbRobtpxoPsEIkpNGstAKytT3hG8PYQ60mTd8twg=; b=wpyo1qbiXRiyyI1+uvw2M/JDworbbSpRFvIulMaBQpbeLZpwr8w6Sbg1FDU+7fHqOF f/OYpsWTaU1RQtUP8Zd62ZROFVJwh0gwcNEvH+VmxoAlzDa9M50GS4m1pohU0SU38hwf Kw5GBx5dikMsp/TWMRHdMIBeJOyYiPXmOZ94l2PgY9jSCyWeEq0GaFV6rIkqfCI9j/5J 2sAobaH6ydueTBIterkVmysgMdWgDc9v8embgEuewhLHpLBoynyfjKfX7LROkZn28ck7 puqMDGLoDdZikfYFiBnp73pzLgVqOQueiA3VEWaodpW2s+mibQ6CZD+3TaiXyboN6inF ZJjQ== X-Gm-Message-State: AOJu0Yx9W0XxgSmTrOx3gYsoja8NZ4y1MLGt5jg9dJKHNpudEW2de14r PrQcYe0RTYMfQlE1tOvvoKYj+4CzCQ5EnCdznvGlTnPTUF5AOLKyc84tCua7Svnlg7Hf8HwgNcN yAxLtlQy6wlk9buLAsQE+dqyfpGnC+oBoLeH4LzBVAftg92+JhJzf+IW0/N0b2kOaLW4VMlz8Ss +PMUuKaLnnOQjAzTFLs5a7mEjffm1TB7uIkEAz X-Received: by 2002:a05:6e02:601:b0:365:29f4:7e27 with SMTP id t1-20020a056e02060100b0036529f47e27mr12864358ils.19.1709083098938; Tue, 27 Feb 2024 17:18:18 -0800 (PST) X-Google-Smtp-Source: AGHT+IFXuGMhdmioc70Dv7NQUrx5R7ji03PL6FinQblMwJy6PTEtnyqzDjTujxcOT6nKzhiZkCwzv8DG/ky5H6QMak0= X-Received: by 2002:a05:6e02:601:b0:365:29f4:7e27 with SMTP id t1-20020a056e02060100b0036529f47e27mr12864351ils.19.1709083098660; Tue, 27 Feb 2024 17:18:18 -0800 (PST) MIME-Version: 1.0 From: "Skyler Ferrante (RIT Student)" Date: Tue, 27 Feb 2024 20:18:08 -0500 Message-ID: Subject: Grep poorly handles ansi characters in filename match To: bug-grep@gnu.org Content-Type: text/plain; charset="UTF-8" Received-SPF: pass client-ip=129.21.10.181; envelope-from=sjf5462@g.rit.edu; helo=mx03c-out01ag.rit.edu X-Spam_score_int: -20 X-Spam_score: -2.1 X-Spam_bar: -- X-Spam_report: (-2.1 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01 autolearn=ham autolearn_force=no X-Spam_action: no action X-Spam-Score: -1.4 (-) X-Debbugs-Envelope-To: submit X-Mailman-Approved-At: Tue, 27 Feb 2024 20:52:52 -0500 X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Reply-To: sjf5462@rit.edu Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -2.4 (--) Hello, When grep prints filenames (such as in grep -r), it does not seem to check for ansi escape sequences. Reproduce: ``` filename=$(printf "\033[33;1;4myello_underline\033[0m") echo hi > $filename grep -r "hi" . ``` If you squint, this could be seen as a security risk, but I think it's probably not. An attacker could hide logs when searched with grep if they could create files with arbitrary names in a directory a user might search. There's also the issue of bad terminals that allow command execution from escape sequences. I'll let you decide if it should get a CVE/marked as a security issue or not. I did not see any prior bug reports of this, hopefully this isn't something you already know about. Cheers, Skyler