[bug #54236] Leftover extra chars after C1 control's tty sanitization

bug-findutils

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[bug #54236] Leftover extra chars after C1 control's tty sanitization

From:	Egmont Koblinger
Subject:	[bug #54236] Leftover extra chars after C1 control's tty sanitization
Date:	Mon, 2 Jul 2018 17:38:39 -0400 (EDT)
User-agent:	Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:56.0) Gecko/20100101 Firefox/56.0

URL:
  <http://savannah.gnu.org/bugs/?54236>

                 Summary: Leftover extra chars after C1 control's tty
sanitization
                 Project: findutils
            Submitted by: egmont
            Submitted on: Mon 02 Jul 2018 09:38:37 PM UTC
                Category: find
                Severity: 3 - Normal
              Item Group: None
                  Status: None
                 Privacy: Public
             Assigned to: None
         Originator Name: 
        Originator Email: 
             Open/Closed: Open
         Discussion Lock: Any
                 Release: 4.6.0
           Fixed Release: None

    _______________________________________________________

Details:

$ touch $'abcdefghi\xC2\x9Bjklmnopqrstuvwxyz'
$ find
.
./abcdefghi?jklmnopqrstuvwxyzz

Notice the double trailing 'z' at the end of the output.

The two-byte C1 control code (U+009B) in this case is replaced by a '?' if the
output is sent to a tty. The rest is apparently correctly shifted by 1 byte in
some internal buffer, but I guess the end is not truncated (or the length is
not decremented).

This can even have security implications, as the leftover part is not subject
to escape sequence sanitization. This way e.g. an ordinary user who creates a
specially named file can drive root's terminal emulator to do tricky things.
Example where the output actually turns red:

$ touch
$'alert\xC2\x9B\xC2\x9B\xC2\x9B\xC2\x9B\xC2\x9B\xC2\x9B\xC2\x9B\xC2\x9B\e[31mred'
$ find
.
./alert?????????[31mredred
                       ^^^
this is actually printed in red in gnome-terminal (and presumably any other
terminal emulator that supports C1 control characters in UTF-8). Other escape
sequences can do nastier things, e.g. type certain (but not arbitrary)
characters as if they were typed by the user.

"find --version" reports 4.7.0-git; dpkg reports 4.6.0+git+20170828-2. Package
from Ubuntu 18.04.

Discovered while answering https://askubuntu.com/q/1051367/398785.




    _______________________________________________________

Reply to this item at:

  <http://savannah.gnu.org/bugs/?54236>

_______________________________________________
  Message sent via Savannah
  https://savannah.gnu.org/

[Prev in Thread]

Current Thread

[Next in Thread]

[bug #54236] Leftover extra chars after C1 control's tty sanitization, Egmont Koblinger <=
- [bug #54236] Leftover extra chars after C1 control's tty sanitization, Bernhard Voelker, 2018/07/04
  - [bug #54236] Leftover extra chars after C1 control's tty sanitization, James Youngman, 2018/07/05
    - [bug #54236] Leftover extra chars after C1 control's tty sanitization, Egmont Koblinger, 2018/07/05
    - [bug #54236] Leftover extra chars after C1 control's tty sanitization, James Youngman, 2018/07/05
    - [bug #54236] Leftover extra chars after C1 control's tty sanitization, Bernhard Voelker, 2018/07/07
    - [bug #54236] Leftover extra chars after C1 control's tty sanitization, Egmont Koblinger, 2018/07/07

Next by Date: [bug #54236] Leftover extra chars after C1 control's tty sanitization
Next by thread: [bug #54236] Leftover extra chars after C1 control's tty sanitization
Index(es):
- Date
- Thread