[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
bug#69445: Grep poorly handles ansi characters in filename match
From: |
Skyler Ferrante (RIT Student) |
Subject: |
bug#69445: Grep poorly handles ansi characters in filename match |
Date: |
Tue, 27 Feb 2024 20:18:08 -0500 |
Hello,
When grep prints filenames (such as in grep -r), it does not seem to
check for ansi escape sequences.
Reproduce:
```
filename=$(printf "\033[33;1;4myello_underline\033[0m")
echo hi > $filename
grep -r "hi" .
```
If you squint, this could be seen as a security risk, but I think it's
probably not. An attacker could hide logs when searched with grep if
they could create files with arbitrary names in a directory a user
might search. There's also the issue of bad terminals that allow
command execution from escape sequences. I'll let you decide if it
should get a CVE/marked as a security issue or not.
I did not see any prior bug reports of this, hopefully this isn't
something you already know about.
Cheers,
Skyler
[Prev in Thread] |
Current Thread |
[Next in Thread] |
- bug#69445: Grep poorly handles ansi characters in filename match,
Skyler Ferrante (RIT Student) <=