bug-bash
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Bash not escaping escape sequences in directory names

From: Koichi Murase
Subject: Re: Bash not escaping escape sequences in directory names
Date: Sat, 22 Jan 2022 21:32:50 +0900 
2022年1月22日(土) 19:54 Andreas Kusalananda Kähäri <andreas.kahari@abc.se>:
> [...]
> > Highly unlikely. It would require an implausible scenario.
>
> Mind if I use that quote? :-)
>
> Example of interesting values to test in PS1, with discussions:
>
>         https://security.stackexchange.com/q/56307

These cases discussed in the above page for the command "cat" are all
considered to be the vulnerabilities of terminal emulators, but not
the security issues of "cat". If you look at these CVE reports, you
can find that none attributes the issue to the command "cat". Bash
outputs the directory names in the prompt just like "cat", which is
not considered a security issue of "Bash".

If one started to argue that every application should work around
possible bugs of terminal emulators caused by weird directory names,
literally every application would need to be patched. For an obvious
example, the command "ls" would need to quote the filenames (even
without the option -Q) by default, which would conflict with POSIX.
For another example, every command-line program would need to quote
the filenames in its error messages, output logs, etc. I don't think
that is a valid argument.

The real issue here is just

> > > On Fri, Jan 21, 2022 at 03:29:47PM -0500, Chet Ramey wrote:
> > > > A mild annoyance at best, don't you think?

but I think this is important. I don't see any reason to refrain from
quoting the directory names in the prompt considering that the control
characters in the text input by users using C-v or C-q are already
quoted as e.g. ^[.

I guess the current behavior also causes inconsistencies between the
actual cursor position in the terminal and the virtual cursor position
in Readline. I believe we should quote control characters in the
directory names for the prompt.

# This is a side note, but it's not necessarily a "mild"
# annoyance but can be a big annoyance depending on the escape
# sequences in the directory names. For example, most people
# without sufficient knowledge must reset the terminal with the
# following directory name:
#
# $ mkdir $'\e[H\e[?69h\e[1;2s\e[1;2r'
# $ cd !$
#
# You can try this with a terminal that supports DECSLRM such as
# xterm.

--
Koichi
reply via email to
[Prev in Thread] Current Thread [Next in Thread]