GNU bug report logs -
#69445
Grep poorly handles ansi characters in filename match
Previous Next
Full log
Message #5 received at submit <at> debbugs.gnu.org (full text, mbox):
Hello,
When grep prints filenames (such as in grep -r), it does not seem to
check for ansi escape sequences.
Reproduce:
```
filename=$(printf "\033[33;1;4myello_underline\033[0m")
echo hi > $filename
grep -r "hi" .
```
If you squint, this could be seen as a security risk, but I think it's
probably not. An attacker could hide logs when searched with grep if
they could create files with arbitrary names in a directory a user
might search. There's also the issue of bad terminals that allow
command execution from escape sequences. I'll let you decide if it
should get a CVE/marked as a security issue or not.
I did not see any prior bug reports of this, hopefully this isn't
something you already know about.
Cheers,
Skyler
This bug report was last modified 1 year and 109 days ago.
Previous Next
GNU bug tracking system
Copyright (C) 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson.