Hi Vincent, On Sun, Aug 17, 2025 at 03:09:58AM +0200, Vincent Lefevre wrote: > On 2025-08-16 11:47:43 -0700, Collin Funk wrote: > > Erik Auerswald <auers...@unix-ag.uni-kl.de> said: > > > On Wed, Aug 13, 2025 at 07:00:58PM +0200, Vincent Lefevre wrote: > > > > > > > > The following makes the xterm terminal crash > > > > > > > > touch "$(printf "file\e[H\e[c\n\b")" > > > > gunzip file* > > > > > > > > due to malicious character sequences in the file name and a bug > > > > in xterm. Same issue with bunzip2 instead of gunzip. > > > > > > I do not expect this to only happen with gunzip and bzip2. > > > Does this happen with any program that prints the filename without > > > any escaping, e.g., "echo file*", and most programs that print > > > the provided filename > > Note that "echo file*" is under the control of the user, who should > never use "echo" or "printf" on unsanitized data. Concerning gunzip > and bzip2, it is the choice of these programs to output the file name > without filtering first (in particular when the output is done to > a terminal). > > > > when reporting any associated problem (i.e., all that do not escape > > > or suppress non-printable filename characters or bytes)? > > > > Yep, any program will print non-printable characters unless it has > > some logic to not do so. > > [...] > > Generally this is an extra program feature. > > I see this more than a feature, at least in the case the output > is done to a terminal. As a general rule, programs are expected > to sanitize output data in such as a case.
I'd expect most programs to not change the filename printed in their output. POSIX does not even expect "ls" to sanitize its output without "-q", but it does allow it[0]. Two more example programs that do not sanitize filenames in their output would be "file", at least version "5.41", and "dash", at least the version[1] included in Ubuntu GNU/Linux 22.04.5 LTS. I'd expect that you can find many more examples. Getting every program changed to follow your expectation seems like a Sisyphean task to me. Please note that I am not opposed to adding that feature to every existing and future program, it just seems foolish to rely on it, at least currently. [0]: https://pubs.opengroup.org/onlinepubs/9799919799/utilities/ls.html [1]: 0.5.11+git20210903+057cd650a4ed-3build1 > [...] > Note that arbitrary escape sequences from file names can do things > unexpected by the user, such as clearing the screen, changing the > terminal width or other terminal settings, though normally with > limited loss. A crash is worse as one loses the shell session and > all information related to it. > [...] > I've just seen that lzip and plzip has the same issue. I am quite sure that there are many more such programs. Best regards, Erik
