URL:
<http://savannah.gnu.org/bugs/?54236>
Summary: Leftover extra chars after C1 control's tty
sanitization
Project: findutils
Submitted by: egmont
Submitted on: Mon 02 Jul 2018 09:38:37 PM UTC
Category: find
Severity: 3 - Normal
Item Group: None
Status: None
Privacy: Public
Assigned to: None
Originator Name:
Originator Email:
Open/Closed: Open
Discussion Lock: Any
Release: 4.6.0
Fixed Release: None
_______________________________________________________
Details:
$ touch $'abcdefghi\xC2\x9Bjklmnopqrstuvwxyz'
$ find
.
./abcdefghi?jklmnopqrstuvwxyzz
Notice the double trailing 'z' at the end of the output.
The two-byte C1 control code (U+009B) in this case is replaced by a '?' if the
output is sent to a tty. The rest is apparently correctly shifted by 1 byte in
some internal buffer, but I guess the end is not truncated (or the length is
not decremented).
This can even have security implications, as the leftover part is not subject
to escape sequence sanitization. This way e.g. an ordinary user who creates a
specially named file can drive root's terminal emulator to do tricky things.
Example where the output actually turns red:
$ touch
$'alert\xC2\x9B\xC2\x9B\xC2\x9B\xC2\x9B\xC2\x9B\xC2\x9B\xC2\x9B\xC2\x9B\e[31mred'
$ find
.
./alert?????????[31mredred
^^^
this is actually printed in red in gnome-terminal (and presumably any other
terminal emulator that supports C1 control characters in UTF-8). Other escape
sequences can do nastier things, e.g. type certain (but not arbitrary)
characters as if they were typed by the user.
"find --version" reports 4.7.0-git; dpkg reports 4.6.0+git+20170828-2. Package
from Ubuntu 18.04.
Discovered while answering https://askubuntu.com/q/1051367/398785.
_______________________________________________________
Reply to this item at:
<http://savannah.gnu.org/bugs/?54236>
_______________________________________________
Message sent via Savannah
https://savannah.gnu.org/
