Package: grep;
To reply to this bug, email your comments to 69445 AT debbugs.gnu.org.
the display of automated, internal messages from the tracker.
View this report as an mbox folder, status mbox, maintainer mbox
bug-grep <at> gnu.org:bug#69445; Package grep.
(2024年2月28日 01:53:01 GMT) Full text and rfc822 format available.sjf5462 <at> rit.edu:bug-grep <at> gnu.org.
(2024年2月28日 01:53:02 GMT) Full text and rfc822 format available.Message #5 received at submit <at> debbugs.gnu.org (full text, mbox):
From: "Skyler Ferrante (RIT Student)" <sjf5462 <at> rit.edu> To: bug-grep <at> gnu.org Subject: Grep poorly handles ansi characters in filename match Date: 2024年2月27日 20:18:08 -0500
Hello, When grep prints filenames (such as in grep -r), it does not seem to check for ansi escape sequences. Reproduce: ``` filename=$(printf "033円[33;1;4myello_underline033円[0m") echo hi > $filename grep -r "hi" . ``` If you squint, this could be seen as a security risk, but I think it's probably not. An attacker could hide logs when searched with grep if they could create files with arbitrary names in a directory a user might search. There's also the issue of bad terminals that allow command execution from escape sequences. I'll let you decide if it should get a CVE/marked as a security issue or not. I did not see any prior bug reports of this, hopefully this isn't something you already know about. Cheers, Skyler
GNU bug tracking system
Copyright (C) 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson.