URL: <http://savannah.gnu.org/bugs/?54236>
Summary: Leftover extra chars after C1 control's tty sanitization Project: findutils Submitted by: egmont Submitted on: Mon 02 Jul 2018 09:38:37 PM UTC Category: find Severity: 3 - Normal Item Group: None Status: None Privacy: Public Assigned to: None Originator Name: Originator Email: Open/Closed: Open Discussion Lock: Any Release: 4.6.0 Fixed Release: None _______________________________________________________ Details: $ touch $'abcdefghi\xC2\x9Bjklmnopqrstuvwxyz' $ find . ./abcdefghi?jklmnopqrstuvwxyzz Notice the double trailing 'z' at the end of the output. The two-byte C1 control code (U+009B) in this case is replaced by a '?' if the output is sent to a tty. The rest is apparently correctly shifted by 1 byte in some internal buffer, but I guess the end is not truncated (or the length is not decremented). This can even have security implications, as the leftover part is not subject to escape sequence sanitization. This way e.g. an ordinary user who creates a specially named file can drive root's terminal emulator to do tricky things. Example where the output actually turns red: $ touch $'alert\xC2\x9B\xC2\x9B\xC2\x9B\xC2\x9B\xC2\x9B\xC2\x9B\xC2\x9B\xC2\x9B\e[31mred' $ find . ./alert?????????[31mredred ^^^ this is actually printed in red in gnome-terminal (and presumably any other terminal emulator that supports C1 control characters in UTF-8). Other escape sequences can do nastier things, e.g. type certain (but not arbitrary) characters as if they were typed by the user. "find --version" reports 4.7.0-git; dpkg reports 4.6.0+git+20170828-2. Package from Ubuntu 18.04. Discovered while answering https://askubuntu.com/q/1051367/398785. _______________________________________________________ Reply to this item at: <http://savannah.gnu.org/bugs/?54236> _______________________________________________ Message sent via Savannah https://savannah.gnu.org/