GNU bug report logs -
#69445
Grep poorly handles ansi characters in filename match
Previous Next
Full log
View this message in rfc822 format
Hello,
When grep prints filenames (such as in grep -r), it does not seem to
check for ansi escape sequences.
Reproduce:
```
filename=$(printf "\033[33;1;4myello_underline\033[0m")
echo hi > $filename
grep -r "hi" .
```
If you squint, this could be seen as a security risk, but I think it's
probably not. An attacker could hide logs when searched with grep if
they could create files with arbitrary names in a directory a user
might search. There's also the issue of bad terminals that allow
command execution from escape sequences. I'll let you decide if it
should get a CVE/marked as a security issue or not.
I did not see any prior bug reports of this, hopefully this isn't
something you already know about.
Cheers,
Skyler
This bug report was last modified 259 days ago.
Previous Next
GNU bug tracking system
Copyright (C) 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson.