bug-grep
[Top][All Lists]
Advanced

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

bug#69445: Grep poorly handles ansi characters in filename match


From: Skyler Ferrante (RIT Student)
Subject: bug#69445: Grep poorly handles ansi characters in filename match
Date: Tue, 27 Feb 2024 20:18:08 -0500

Hello,

When grep prints filenames (such as in grep -r), it does not seem to
check for ansi escape sequences.

Reproduce:
```
filename=$(printf "\033[33;1;4myello_underline\033[0m")
echo hi > $filename
grep -r "hi" .
```

If you squint, this could be seen as a security risk, but I think it's
probably not. An attacker could hide logs when searched with grep if
they could create files with arbitrary names in a directory a user
might search. There's also the issue of bad terminals that allow
command execution from escape sequences. I'll let you decide if it
should get a CVE/marked as a security issue or not.

I did not see any prior bug reports of this, hopefully this isn't
something you already know about.

Cheers,
Skyler





reply via email to

[Prev in Thread] Current Thread [Next in Thread]