<strong>Report forwarded</strong> to <code>debian-bugs-dist@lists.debian.org, Wichert Akkerman &lt;wakkerma@debian.org&gt;</code>:<br>
<code>Bug#42630</code>; Package <code>grep</code>.


debian-bugs-dist@lists.debian.orgWichert Akkerman <wakkerma@debian.org>

Subject: Bug#42630: grep: Potential security risk: control characters in filenames are printed without filtering.
Reply-To: korn@eik.bme.hu, 42630@bugs.debian.org
Resent-From: korn@eik.bme.hu
Resent-To: debian-bugs-dist@lists.debian.org
Resent-CC: Wichert Akkerman <wakkerma@debian.org>
Resent-Date: Sat, 07 Aug 1999 21:33:00 GMT
Resent-Message-ID: <handler.42630.B.93406096623680@bugs.debian.org>
Resent-Sender: iwj@debian.org
X-Debian-PR-Message: report 42630
X-Debian-PR-Package: grep
X-Debian-PR-Keywords: 
X-Loop: owner@bugs.debian.org
Received: via spool by bugs@bugs.debian.org id=B.93406096623680
          (code B ref -1); Sat, 07 Aug 1999 21:33:00 GMT
Date: 7 Aug 1999 21:17:49 -0000
Message-ID: <19990807211749.6558.qmail@utopia>
From: korn@eik.bme.hu
To: submit@bugs.debian.org
X-Mailer: bug 3.2.2

Package: grep
Version: 2.3-4
Severity: normal

Hi,

if you create a file named ^G (ctrl-g) and do something like grep foo * in
the directory where the file resides, you will hear a beep when grep prints
the line

^G:foo

(naturally only if ^G contained 'foo').

A malicious user could create a file whose name contains more harmful
control characters and wait for another user to grep for a string that file
contains.

I admit this is a long shot, but still: filenames should be filtered and
control characters removed before the name of the file is printed.

This potentially affects many other packages as well. I have verified that
joe is vulnerable and have posted a bug report; I don't have the time to
check any other programs.

Perhaps this issue should be brought up on bugtraq as well.

Best regards,

-- 
  Andrew Korn (Korn Andras) <korn@eik.bme.hu>  http://goliat.eik.bme.hu/~korn
    Finger korn@goliat.eik.bme.hu for pgp key.  Homepage is obsolete. QOTD:
           User (n): technical term used by programmers - see idiot.

-- System Information
Debian Release: potato
Kernel Version: Linux utopia 2.2.10-ac12 #59 Fri Jul 23 17:23:40 CEST 1999 i586 unknown

Versions of the packages grep depends on:
ii  libc6           2.1.2-0pre1    GNU C Library: Shared libraries and timezone



<strong>Acknowledgement sent</strong> to <code>korn@eik.bme.hu</code>:<br>
New bug report received and forwarded.  Copy sent to <code>Wichert Akkerman &lt;wakkerma@debian.org&gt;</code>.


-t

From: owner@bugs.debian.org (Debian Bug Tracking System)
To: korn@eik.bme.hu
Subject: Bug#42630: Acknowledgement (grep: Potential security risk: control characters in filenames are printed without filtering.)
Message-ID: <handler.42630.B.93406096623680.ack@bugs.debian.org>
In-Reply-To: <19990807211749.6558.qmail@utopia>
References: <19990807211749.6558.qmail@utopia>
X-Debian-PR-Message: ack 42630

Thank you for the problem report you have sent regarding Debian.
This is an automatically generated reply, to let you know your message has
been received.  It is being forwarded to the developers' mailing list for
their attention; they will reply in due course.

Your message has been sent to the package maintainer(s):
 Wichert Akkerman <wakkerma@debian.org>

If you wish to submit further information on your problem, please send
it to 42630@bugs.debian.org (and *not* to
bugs@bugs.debian.org).

Please do not reply to the address at the top of this message,
unless you wish to report a problem with the bug-tracking system.

Ian Jackson
(administrator, Debian bugs database)



Received: (at submit) by bugs.debian.org; 7 Aug 1999 21:22:45 +0000
Received: (qmail 23638 invoked from network); 7 Aug 1999 21:22:43 -0000
Received: from chardonnay.math.bme.hu (qmailr@152.66.83.144)
  by master.debian.org with SMTP; 7 Aug 1999 21:22:43 -0000
Received: (qmail 9866 invoked from network); 7 Aug 1999 21:22:36 -0000
Received: from line56.dial.bme.hu (qmailr@152.66.142.56)
  by chardonnay.math.bme.hu with SMTP; 7 Aug 1999 21:22:36 -0000
Received: (qmail 6560 invoked by uid 1000); 7 Aug 1999 21:17:49 -0000
Date: 7 Aug 1999 21:17:49 -0000
Message-ID: <19990807211749.6558.qmail@utopia>
From: korn@eik.bme.hu
Subject: grep: Potential security risk: control characters in filenames are printed without filtering.
To: submit@bugs.debian.org
X-Mailer: bug 3.2.2

Package: grep
Version: 2.3-4
Severity: normal

Hi,

if you create a file named ^G (ctrl-g) and do something like grep foo * in
the directory where the file resides, you will hear a beep when grep prints
the line

^G:foo

(naturally only if ^G contained 'foo').

A malicious user could create a file whose name contains more harmful
control characters and wait for another user to grep for a string that file
contains.

I admit this is a long shot, but still: filenames should be filtered and
control characters removed before the name of the file is printed.

This potentially affects many other packages as well. I have verified that
joe is vulnerable and have posted a bug report; I don't have the time to
check any other programs.

Perhaps this issue should be brought up on bugtraq as well.

Best regards,

-- 
  Andrew Korn (Korn Andras) <korn@eik.bme.hu>  http://goliat.eik.bme.hu/~korn
    Finger korn@goliat.eik.bme.hu for pgp key.  Homepage is obsolete. QOTD:
           User (n): technical term used by programmers - see idiot.

-- System Information
Debian Release: potato
Kernel Version: Linux utopia 2.2.10-ac12 #59 Fri Jul 23 17:23:40 CEST 1999 i586 unknown

Versions of the packages grep depends on:
ii  libc6           2.1.2-0pre1    GNU C Library: Shared libraries and timezone



<strong>Information forwarded</strong> to <code>debian-bugs-dist@lists.debian.org, Robert van der Meulen &lt;rvdm@debian.org&gt;, grep@packages.qa.debian.org</code>:<br>
<code>Bug#42630</code>; Package <code>grep</code>.


debian-bugs-dist@lists.debian.orgRobert van der Meulen <rvdm@debian.org>grep@packages.qa.debian.org

X-Loop: owner@bugs.debian.org
Subject: Bug#42630: grep: Potential security risk: control characters in filenames are printed without filtering.
Reply-To: Matt Zimmerman <mdz@debian.org>, 42630@bugs.debian.org
Resent-From: Matt Zimmerman <mdz@debian.org>
Original-Sender: Matt Zimmerman <mdz@alcor.net>
Resent-To: debian-bugs-dist@lists.debian.org
Resent-CC: Robert van der Meulen <rvdm@debian.org>, grep@packages.qa.debian.org
Resent-Date: Tue, 13 Aug 2002 01:03:06 GMT
Resent-Message-ID: <handler.42630.B42630.10292001959736@bugs.debian.org>
Resent-Sender: owner@bugs.debian.org
X-Debian-PR-Message: report 42630
X-Debian-PR-Package: grep
X-Debian-PR-Keywords: 
Received: via spool by 42630-submit@bugs.debian.org id=B42630.10292001959736
          (code B ref 42630); Tue, 13 Aug 2002 01:03:06 GMT
Date: Mon, 12 Aug 2002 20:56:30 -0400
From: Matt Zimmerman <mdz@debian.org>
To: 42630@bugs.debian.org, 42630-submitter@bugs.debian.org
Cc: Martin Michlmayr <tbm@cyrius.com>
Message-ID: <20020813005630.GA19807@alcor.net>
References: <20020812231757.A10293@fisch.cyrius.com>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <20020812231757.A10293@fisch.cyrius.com>
User-Agent: Mutt/1.4i
Sender: Matt Zimmerman <mdz@alcor.net>
Delivered-To: 42630@bugs.debian.org

> if you create a file named ^G (ctrl-g) and do something like grep foo * in
> the directory where the file resides, you will hear a beep when grep
> prints the line
> 
> ^G:foo
> 
> (naturally only if ^G contained 'foo').
> 
> A malicious user could create a file whose name contains more harmful
> control characters and wait for another user to grep for a string that
> file contains.
>
> I admit this is a long shot, but still: filenames should be filtered and
> control characters removed before the name of the file is printed.

The file could just as easily have control characters within its data as in
its filename.  Replace 'grep' with 'cat' and this still holds true.  It is
not grep's responsibility to filter its output; indeed, it would surely
break many scripts if it were to do so.  Moreover, it cannot (and should
not) know the effect of every possible control sequence for every terminal
type.

If you are concerned about potentially hostile information being written to
your terminal, pipe the output through a pager which can filter all control
characters, like less.

This bug should be closed.

-- 
 - mdz




<strong>Acknowledgement sent</strong> to <code>Matt Zimmerman &lt;mdz@debian.org&gt;</code>:<br>
Extra info received and forwarded to list.  Copy sent to <code>Robert van der Meulen &lt;rvdm@debian.org&gt;, grep@packages.qa.debian.org</code>.


-t

X-Loop: owner@bugs.debian.org
From: owner@bugs.debian.org (Debian Bug Tracking System)
To: Matt Zimmerman <mdz@debian.org>
Subject: Bug#42630: Info received (was grep: Potential security risk: control characters in filenames are printed without filtering.)
Message-ID: <handler.42630.B42630.10292001959736.ackinfo@bugs.debian.org>
In-Reply-To: <20020813005630.GA19807@alcor.net>
References: <20020813005630.GA19807@alcor.net>
X-Debian-PR-Message: ack-info 42630
X-Reply-To-disabled-by-doogie-because-it-can-wreak-havoc: 42630@bugs.debian.org

Thank you for the additional information you have supplied regarding
this problem report.  It has been forwarded to the developer(s) and
to the developers mailing list to accompany the original report.

Your message has been sent to the package maintainer(s):
 Robert van der Meulen <rvdm@debian.org>

If you wish to continue to submit further information on your problem,
please send it to 42630@bugs.debian.org, as before.

Please do not reply to the address at the top of this message,
unless you wish to report a problem with the Bug-tracking system.

Debian bug tracking system administrator
(administrator, Debian Bugs database)



Received: (at 42630) by bugs.debian.org; 13 Aug 2002 00:56:35 +0000
From mdz@csh.rit.edu Mon Aug 12 19:56:35 2002
Return-path: <mdz@csh.rit.edu>
Received: from smtp01.mrf.mail.rcn.net [207.172.4.60] 
	by master.debian.org with esmtp (Exim 3.12 1 (Debian))
	id 17ePz8-0002Ww-00; Mon, 12 Aug 2002 19:56:34 -0500
Received: from 209-6-103-23.c3-0.smr-ubr1.sbo-smr.ma.cable.rcn.com ([209.6.103.23] helo=mizar.alcor.net)
	by smtp01.mrf.mail.rcn.net with esmtp (Exim 3.35 #6)
	id 17ePz4-0006U3-00; Mon, 12 Aug 2002 20:56:30 -0400
Received: from mdz by mizar.alcor.net with local (Exim 3.35 #1 (Debian))
	id 17ePz4-0005TK-00; Mon, 12 Aug 2002 20:56:30 -0400
Date: Mon, 12 Aug 2002 20:56:30 -0400
From: Matt Zimmerman <mdz@debian.org>
To: 42630@bugs.debian.org, 42630-submitter@bugs.debian.org
Cc: Martin Michlmayr <tbm@cyrius.com>
Subject: Re: grep: Potential security risk: control characters in filenames are printed without filtering.
Message-ID: <20020813005630.GA19807@alcor.net>
References: <20020812231757.A10293@fisch.cyrius.com>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <20020812231757.A10293@fisch.cyrius.com>
User-Agent: Mutt/1.4i
Sender: Matt Zimmerman <mdz@alcor.net>
Delivered-To: 42630@bugs.debian.org

> if you create a file named ^G (ctrl-g) and do something like grep foo * in
> the directory where the file resides, you will hear a beep when grep
> prints the line
> 
> ^G:foo
> 
> (naturally only if ^G contained 'foo').
> 
> A malicious user could create a file whose name contains more harmful
> control characters and wait for another user to grep for a string that
> file contains.
>
> I admit this is a long shot, but still: filenames should be filtered and
> control characters removed before the name of the file is printed.

The file could just as easily have control characters within its data as in
its filename.  Replace 'grep' with 'cat' and this still holds true.  It is
not grep's responsibility to filter its output; indeed, it would surely
break many scripts if it were to do so.  Moreover, it cannot (and should
not) know the effect of every possible control sequence for every terminal
type.

If you are concerned about potentially hostile information being written to
your terminal, pipe the output through a pager which can filter all control
characters, like less.

This bug should be closed.

-- 
 - mdz




<strong>Message sent on</strong> to <code>korn@eik.bme.hu</code>:<br>
Bug#42630.


korn@eik.bme.hugrep@packages.qa.debian.org

X-Loop: owner@bugs.debian.org
Subject: Bug#42630: grep: Potential security risk: control characters in filenames are printed without filtering.
Reply-To: Matt Zimmerman <mdz@debian.org>, 42630-quiet@bugs.debian.org
Original-Sender: Matt Zimmerman <mdz@alcor.net>
Resent-To: korn@eik.bme.hu
Resent-CC: grep@packages.qa.debian.org
Resent-Date: Tue, 13 Aug 2002 01:03:09 GMT
Resent-Message-ID: <handler.42630.U42630.10292001959733@bugs.debian.org>
Resent-Sender: owner@bugs.debian.org
X-Debian-PR-Message: report 42630
X-Debian-PR-Package: grep
X-Debian-PR-Keywords: 
Received: via spool by 42630-submitter@bugs.debian.org id=U42630.10292001959733
          (code U ref 42630); Tue, 13 Aug 2002 01:03:09 GMT
Date: Mon, 12 Aug 2002 20:56:30 -0400
From: Matt Zimmerman <mdz@debian.org>
To: 42630@bugs.debian.org, 42630-submitter@bugs.debian.org
Cc: Martin Michlmayr <tbm@cyrius.com>
Message-ID: <20020813005630.GA19807@alcor.net>
References: <20020812231757.A10293@fisch.cyrius.com>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <20020812231757.A10293@fisch.cyrius.com>
User-Agent: Mutt/1.4i
Sender: Matt Zimmerman <mdz@alcor.net>
Delivered-To: 42630-submitter@bugs.debian.org

> if you create a file named ^G (ctrl-g) and do something like grep foo * in
> the directory where the file resides, you will hear a beep when grep
> prints the line
> 
> ^G:foo
> 
> (naturally only if ^G contained 'foo').
> 
> A malicious user could create a file whose name contains more harmful
> control characters and wait for another user to grep for a string that
> file contains.
>
> I admit this is a long shot, but still: filenames should be filtered and
> control characters removed before the name of the file is printed.

The file could just as easily have control characters within its data as in
its filename.  Replace 'grep' with 'cat' and this still holds true.  It is
not grep's responsibility to filter its output; indeed, it would surely
break many scripts if it were to do so.  Moreover, it cannot (and should
not) know the effect of every possible control sequence for every terminal
type.

If you are concerned about potentially hostile information being written to
your terminal, pipe the output through a pager which can filter all control
characters, like less.

This bug should be closed.

-- 
 - mdz




Received: (at 42630-submitter) by bugs.debian.org; 13 Aug 2002 00:56:35 +0000
From mdz@csh.rit.edu Mon Aug 12 19:56:35 2002
Return-path: <mdz@csh.rit.edu>
Received: from smtp01.mrf.mail.rcn.net [207.172.4.60] 
	by master.debian.org with esmtp (Exim 3.12 1 (Debian))
	id 17ePz8-0002Ww-00; Mon, 12 Aug 2002 19:56:34 -0500
Received: from 209-6-103-23.c3-0.smr-ubr1.sbo-smr.ma.cable.rcn.com ([209.6.103.23] helo=mizar.alcor.net)
	by smtp01.mrf.mail.rcn.net with esmtp (Exim 3.35 #6)
	id 17ePz4-0006U3-00; Mon, 12 Aug 2002 20:56:30 -0400
Received: from mdz by mizar.alcor.net with local (Exim 3.35 #1 (Debian))
	id 17ePz4-0005TK-00; Mon, 12 Aug 2002 20:56:30 -0400
Date: Mon, 12 Aug 2002 20:56:30 -0400
From: Matt Zimmerman <mdz@debian.org>
To: 42630@bugs.debian.org, 42630-submitter@bugs.debian.org
Cc: Martin Michlmayr <tbm@cyrius.com>
Subject: Re: grep: Potential security risk: control characters in filenames are printed without filtering.
Message-ID: <20020813005630.GA19807@alcor.net>
References: <20020812231757.A10293@fisch.cyrius.com>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <20020812231757.A10293@fisch.cyrius.com>
User-Agent: Mutt/1.4i
Sender: Matt Zimmerman <mdz@alcor.net>
Delivered-To: 42630-submitter@bugs.debian.org

> if you create a file named ^G (ctrl-g) and do something like grep foo * in
> the directory where the file resides, you will hear a beep when grep
> prints the line
> 
> ^G:foo
> 
> (naturally only if ^G contained 'foo').
> 
> A malicious user could create a file whose name contains more harmful
> control characters and wait for another user to grep for a string that
> file contains.
>
> I admit this is a long shot, but still: filenames should be filtered and
> control characters removed before the name of the file is printed.

The file could just as easily have control characters within its data as in
its filename.  Replace 'grep' with 'cat' and this still holds true.  It is
not grep's responsibility to filter its output; indeed, it would surely
break many scripts if it were to do so.  Moreover, it cannot (and should
not) know the effect of every possible control sequence for every terminal
type.

If you are concerned about potentially hostile information being written to
your terminal, pipe the output through a pager which can filter all control
characters, like less.

This bug should be closed.

-- 
 - mdz




<strong>Information forwarded</strong> to <code>debian-bugs-dist@lists.debian.org, Robert van der Meulen &lt;rvdm@debian.org&gt;, grep@packages.qa.debian.org</code>:<br>
<code>Bug#42630</code>; Package <code>grep</code>.


debian-bugs-dist@lists.debian.orgRobert van der Meulen <rvdm@debian.org>grep@packages.qa.debian.org

X-Loop: owner@bugs.debian.org
Subject: Bug#42630: grep: Potential security risk: control characters in filenames are printed without filtering.
Reply-To: "KORN Andras" <korn@chardonnay.math.bme.hu>, 42630@bugs.debian.org
Resent-From: "KORN Andras" <korn@chardonnay.math.bme.hu>
Resent-To: debian-bugs-dist@lists.debian.org
Resent-CC: Robert van der Meulen <rvdm@debian.org>, grep@packages.qa.debian.org
Resent-Date: Sat, 17 Aug 2002 18:33:07 GMT
Resent-Message-ID: <handler.42630.B42630.10296087336685@bugs.debian.org>
Resent-Sender: owner@bugs.debian.org
X-Debian-PR-Message: report 42630
X-Debian-PR-Package: grep
X-Debian-PR-Keywords: 
Received: via spool by 42630-submit@bugs.debian.org id=B42630.10296087336685
          (code B ref 42630); Sat, 17 Aug 2002 18:33:07 GMT
From: "KORN Andras" <korn@chardonnay.math.bme.hu>
Date: Sat, 17 Aug 2002 20:25:28 +0200
To: Matt Zimmerman <mdz@debian.org>, 42630@bugs.debian.org,
  Martin Michlmayr <tbm@cyrius.com>, control@bugs.debian.org
Message-ID: <20020817182528.GA30876@hellgate.intra.guy>
References: <20020812231757.A10293@fisch.cyrius.com> <20020813005630.GA19807@alcor.net>
Mime-Version: 1.0
Content-Type: text/plain; charset=iso-8859-2
Content-Disposition: inline
In-Reply-To: <20020813005630.GA19807@alcor.net>
User-Agent: Mutt/1.3.28i
Organization: Technical University of Budapest, Department of Calculus
Delivered-To: 42630@bugs.debian.org

severity 42630 wishlist
retitle 42630 Filter non-printable characters from filenames before printing them
tags 42630 security
thanks

> > if you create a file named ^G (ctrl-g) and do something like grep foo * in
> > the directory where the file resides, you will hear a beep when grep
> > prints the line
> > 
> > ^G:foo
> > 
> > (naturally only if ^G contained 'foo').
> > 
> > A malicious user could create a file whose name contains more harmful
> > control characters and wait for another user to grep for a string that
> > file contains.
> >
> > I admit this is a long shot, but still: filenames should be filtered and
> > control characters removed before the name of the file is printed.
> 
> The file could just as easily have control characters within its data as in
> its filename.  Replace 'grep' with 'cat' and this still holds true.  It is
> not grep's responsibility to filter its output; indeed, it would surely
> break many scripts if it were to do so.  Moreover, it cannot (and should
> not) know the effect of every possible control sequence for every terminal
> type.
> 
> If you are concerned about potentially hostile information being written to
> your terminal, pipe the output through a pager which can filter all control
> characters, like less.
> 
> This bug should be closed.

I agree that the bug should be downgraded (and indeed I'm doing that now),
but I don't fully agree with your arguments.

I think that file names are less suspected of containing harmful sequences
than the files themselves; while many of us know that it is not safe to
'cat' an unknown file, a lot fewer people would think twice before doing a
'grep foo *' in a directory.

I believe 'grep' (and other tools that print filenames) should replace
potentially dangerous characters with an escape sequence before outputting
them; an option to turn this behaviour off should, of course, be provided.
'ls' already does something similar. Some shells do too, when expanding
filenames in the command-line editor.

The locale settings (which grep needs to be aware of anyway) provide a good
way of finding out what characters are 'printable' in the current locale.

I don't think such a modification would break many scripts, because not many
nonprintable characters are normally present in filenames.

Andrew

-- 
            Andrew Korn (Korn Andras) <korn@chardonnay.math.bme.hu>
             Finger korn@chardonnay.math.bme.hu for pgp key. QOTD:
          Twisted mind?  No...just bent in several strategic places.




<strong>Acknowledgement sent</strong> to <code>&quot;KORN Andras&quot; &lt;korn@chardonnay.math.bme.hu&gt;</code>:<br>
Extra info received and forwarded to list.  Copy sent to <code>Robert van der Meulen &lt;rvdm@debian.org&gt;, grep@packages.qa.debian.org</code>.


-t

X-Loop: owner@bugs.debian.org
From: owner@bugs.debian.org (Debian Bug Tracking System)
To: "KORN Andras" <korn@chardonnay.math.bme.hu>
Subject: Bug#42630: Info received (was Bug#42630: grep: Potential security risk: control characters in filenames are printed without filtering.)
Message-ID: <handler.42630.B42630.10296087336685.ackinfo@bugs.debian.org>
In-Reply-To: <20020817182528.GA30876@hellgate.intra.guy>
References: <20020817182528.GA30876@hellgate.intra.guy>
X-Debian-PR-Message: ack-info 42630
X-Reply-To-disabled-by-doogie-because-it-can-wreak-havoc: 42630@bugs.debian.org

Thank you for the additional information you have supplied regarding
this problem report.  It has been forwarded to the developer(s) and
to the developers mailing list to accompany the original report.

Your message has been sent to the package maintainer(s):
 Robert van der Meulen <rvdm@debian.org>

If you wish to continue to submit further information on your problem,
please send it to 42630@bugs.debian.org, as before.

Please do not reply to the address at the top of this message,
unless you wish to report a problem with the Bug-tracking system.

Debian bug tracking system administrator
(administrator, Debian Bugs database)



Received: (at 42630) by bugs.debian.org; 17 Aug 2002 18:25:33 +0000
From korn@chardonnay.math.bme.hu Sat Aug 17 13:25:33 2002
Return-path: <korn@chardonnay.math.bme.hu>
Received: from chardonnay.math.bme.hu [152.66.83.144] ([MPHSLgdkZLwNFjP5hipEV5NCL5Xkb5dP])
	by master.debian.org with smtp (Exim 3.12 1 (Debian))
	id 17g8GT-0001ja-00; Sat, 17 Aug 2002 13:25:33 -0500
Received: (qmail 3561 invoked from network); 17 Aug 2002 18:25:29 -0000
Received: from localhost (HELO hellgate.intra.guy) (?heErA4451HLm1iqo5YzpDlUWfUbNOLUx?@127.0.0.1)
  by localhost with SMTP; 17 Aug 2002 18:25:29 -0000
Received: (qmail 4808 invoked by uid 1000); 17 Aug 2002 18:25:29 -0000
From: "KORN Andras" <korn@chardonnay.math.bme.hu>
Date: Sat, 17 Aug 2002 20:25:28 +0200
To: Matt Zimmerman <mdz@debian.org>, 42630@bugs.debian.org,
  Martin Michlmayr <tbm@cyrius.com>, control@bugs.debian.org
Subject: Re: Bug#42630: grep: Potential security risk: control characters in filenames are printed without filtering.
Message-ID: <20020817182528.GA30876@hellgate.intra.guy>
References: <20020812231757.A10293@fisch.cyrius.com> <20020813005630.GA19807@alcor.net>
Mime-Version: 1.0
Content-Type: text/plain; charset=iso-8859-2
Content-Disposition: inline
In-Reply-To: <20020813005630.GA19807@alcor.net>
User-Agent: Mutt/1.3.28i
Organization: Technical University of Budapest, Department of Calculus
Delivered-To: 42630@bugs.debian.org

severity 42630 wishlist
retitle 42630 Filter non-printable characters from filenames before printing them
tags 42630 security
thanks

> > if you create a file named ^G (ctrl-g) and do something like grep foo * in
> > the directory where the file resides, you will hear a beep when grep
> > prints the line
> > 
> > ^G:foo
> > 
> > (naturally only if ^G contained 'foo').
> > 
> > A malicious user could create a file whose name contains more harmful
> > control characters and wait for another user to grep for a string that
> > file contains.
> >
> > I admit this is a long shot, but still: filenames should be filtered and
> > control characters removed before the name of the file is printed.
> 
> The file could just as easily have control characters within its data as in
> its filename.  Replace 'grep' with 'cat' and this still holds true.  It is
> not grep's responsibility to filter its output; indeed, it would surely
> break many scripts if it were to do so.  Moreover, it cannot (and should
> not) know the effect of every possible control sequence for every terminal
> type.
> 
> If you are concerned about potentially hostile information being written to
> your terminal, pipe the output through a pager which can filter all control
> characters, like less.
> 
> This bug should be closed.

I agree that the bug should be downgraded (and indeed I'm doing that now),
but I don't fully agree with your arguments.

I think that file names are less suspected of containing harmful sequences
than the files themselves; while many of us know that it is not safe to
'cat' an unknown file, a lot fewer people would think twice before doing a
'grep foo *' in a directory.

I believe 'grep' (and other tools that print filenames) should replace
potentially dangerous characters with an escape sequence before outputting
them; an option to turn this behaviour off should, of course, be provided.
'ls' already does something similar. Some shells do too, when expanding
filenames in the command-line editor.

The locale settings (which grep needs to be aware of anyway) provide a good
way of finding out what characters are 'printable' in the current locale.

I don't think such a modification would break many scripts, because not many
nonprintable characters are normally present in filenames.

Andrew

-- 
            Andrew Korn (Korn Andras) <korn@chardonnay.math.bme.hu>
             Finger korn@chardonnay.math.bme.hu for pgp key. QOTD:
          Twisted mind?  No...just bent in several strategic places.




<strong>Severity set to `wishlist'.</strong>
Request was from <code>&quot;KORN Andras&quot; &lt;korn@chardonnay.math.bme.hu&gt;</code>
to <code>control@bugs.debian.org</code>. 


Received: (at control) by bugs.debian.org; 17 Aug 2002 18:25:33 +0000
From korn@chardonnay.math.bme.hu Sat Aug 17 13:25:33 2002
Return-path: <korn@chardonnay.math.bme.hu>
Received: from chardonnay.math.bme.hu [152.66.83.144] ([d/0As9BUnb2KKmYqaQNWTj65t+t9bVMW])
	by master.debian.org with smtp (Exim 3.12 1 (Debian))
	id 17g8GS-0001jd-00; Sat, 17 Aug 2002 13:25:32 -0500
Received: (qmail 6048 invoked from network); 17 Aug 2002 18:25:30 -0000
Received: from localhost (HELO hellgate.intra.guy) (?NRZAo3pcHgjY7nz6t9VVspXHajPE3eze?@127.0.0.1)
  by localhost with SMTP; 17 Aug 2002 18:25:30 -0000
Received: (qmail 4808 invoked by uid 1000); 17 Aug 2002 18:25:29 -0000
From: "KORN Andras" <korn@chardonnay.math.bme.hu>
Date: Sat, 17 Aug 2002 20:25:28 +0200
To: Matt Zimmerman <mdz@debian.org>, 42630@bugs.debian.org,
  Martin Michlmayr <tbm@cyrius.com>, control@bugs.debian.org
Subject: Re: Bug#42630: grep: Potential security risk: control characters in filenames are printed without filtering.
Message-ID: <20020817182528.GA30876@hellgate.intra.guy>
References: <20020812231757.A10293@fisch.cyrius.com> <20020813005630.GA19807@alcor.net>
Mime-Version: 1.0
Content-Type: text/plain; charset=iso-8859-2
Content-Disposition: inline
In-Reply-To: <20020813005630.GA19807@alcor.net>
User-Agent: Mutt/1.3.28i
Organization: Technical University of Budapest, Department of Calculus
Delivered-To: control@bugs.debian.org

severity 42630 wishlist
retitle 42630 Filter non-printable characters from filenames before printing them
tags 42630 security
thanks

> > if you create a file named ^G (ctrl-g) and do something like grep foo * in
> > the directory where the file resides, you will hear a beep when grep
> > prints the line
> > 
> > ^G:foo
> > 
> > (naturally only if ^G contained 'foo').
> > 
> > A malicious user could create a file whose name contains more harmful
> > control characters and wait for another user to grep for a string that
> > file contains.
> >
> > I admit this is a long shot, but still: filenames should be filtered and
> > control characters removed before the name of the file is printed.
> 
> The file could just as easily have control characters within its data as in
> its filename.  Replace 'grep' with 'cat' and this still holds true.  It is
> not grep's responsibility to filter its output; indeed, it would surely
> break many scripts if it were to do so.  Moreover, it cannot (and should
> not) know the effect of every possible control sequence for every terminal
> type.
> 
> If you are concerned about potentially hostile information being written to
> your terminal, pipe the output through a pager which can filter all control
> characters, like less.
> 
> This bug should be closed.

I agree that the bug should be downgraded (and indeed I'm doing that now),
but I don't fully agree with your arguments.

I think that file names are less suspected of containing harmful sequences
than the files themselves; while many of us know that it is not safe to
'cat' an unknown file, a lot fewer people would think twice before doing a
'grep foo *' in a directory.

I believe 'grep' (and other tools that print filenames) should replace
potentially dangerous characters with an escape sequence before outputting
them; an option to turn this behaviour off should, of course, be provided.
'ls' already does something similar. Some shells do too, when expanding
filenames in the command-line editor.

The locale settings (which grep needs to be aware of anyway) provide a good
way of finding out what characters are 'printable' in the current locale.

I don't think such a modification would break many scripts, because not many
nonprintable characters are normally present in filenames.

Andrew

-- 
            Andrew Korn (Korn Andras) <korn@chardonnay.math.bme.hu>
             Finger korn@chardonnay.math.bme.hu for pgp key. QOTD:
          Twisted mind?  No...just bent in several strategic places.




<strong>Changed Bug title.</strong>
Request was from <code>&quot;KORN Andras&quot; &lt;korn@chardonnay.math.bme.hu&gt;</code>
to <code>control@bugs.debian.org</code>. 


Received: (at control) by bugs.debian.org; 17 Aug 2002 18:25:33 +0000
From korn@chardonnay.math.bme.hu Sat Aug 17 13:25:33 2002
Return-path: <korn@chardonnay.math.bme.hu>
Received: from chardonnay.math.bme.hu [152.66.83.144] ([d/0As9BUnb2KKmYqaQNWTj65t+t9bVMW])
	by master.debian.org with smtp (Exim 3.12 1 (Debian))
	id 17g8GS-0001jd-00; Sat, 17 Aug 2002 13:25:32 -0500
Received: (qmail 6048 invoked from network); 17 Aug 2002 18:25:30 -0000
Received: from localhost (HELO hellgate.intra.guy) (?NRZAo3pcHgjY7nz6t9VVspXHajPE3eze?@127.0.0.1)
  by localhost with SMTP; 17 Aug 2002 18:25:30 -0000
Received: (qmail 4808 invoked by uid 1000); 17 Aug 2002 18:25:29 -0000
From: "KORN Andras" <korn@chardonnay.math.bme.hu>
Date: Sat, 17 Aug 2002 20:25:28 +0200
To: Matt Zimmerman <mdz@debian.org>, 42630@bugs.debian.org,
  Martin Michlmayr <tbm@cyrius.com>, control@bugs.debian.org
Subject: Re: Bug#42630: grep: Potential security risk: control characters in filenames are printed without filtering.
Message-ID: <20020817182528.GA30876@hellgate.intra.guy>
References: <20020812231757.A10293@fisch.cyrius.com> <20020813005630.GA19807@alcor.net>
Mime-Version: 1.0
Content-Type: text/plain; charset=iso-8859-2
Content-Disposition: inline
In-Reply-To: <20020813005630.GA19807@alcor.net>
User-Agent: Mutt/1.3.28i
Organization: Technical University of Budapest, Department of Calculus
Delivered-To: control@bugs.debian.org

severity 42630 wishlist
retitle 42630 Filter non-printable characters from filenames before printing them
tags 42630 security
thanks

> > if you create a file named ^G (ctrl-g) and do something like grep foo * in
> > the directory where the file resides, you will hear a beep when grep
> > prints the line
> > 
> > ^G:foo
> > 
> > (naturally only if ^G contained 'foo').
> > 
> > A malicious user could create a file whose name contains more harmful
> > control characters and wait for another user to grep for a string that
> > file contains.
> >
> > I admit this is a long shot, but still: filenames should be filtered and
> > control characters removed before the name of the file is printed.
> 
> The file could just as easily have control characters within its data as in
> its filename.  Replace 'grep' with 'cat' and this still holds true.  It is
> not grep's responsibility to filter its output; indeed, it would surely
> break many scripts if it were to do so.  Moreover, it cannot (and should
> not) know the effect of every possible control sequence for every terminal
> type.
> 
> If you are concerned about potentially hostile information being written to
> your terminal, pipe the output through a pager which can filter all control
> characters, like less.
> 
> This bug should be closed.

I agree that the bug should be downgraded (and indeed I'm doing that now),
but I don't fully agree with your arguments.

I think that file names are less suspected of containing harmful sequences
than the files themselves; while many of us know that it is not safe to
'cat' an unknown file, a lot fewer people would think twice before doing a
'grep foo *' in a directory.

I believe 'grep' (and other tools that print filenames) should replace
potentially dangerous characters with an escape sequence before outputting
them; an option to turn this behaviour off should, of course, be provided.
'ls' already does something similar. Some shells do too, when expanding
filenames in the command-line editor.

The locale settings (which grep needs to be aware of anyway) provide a good
way of finding out what characters are 'printable' in the current locale.

I don't think such a modification would break many scripts, because not many
nonprintable characters are normally present in filenames.

Andrew

-- 
            Andrew Korn (Korn Andras) <korn@chardonnay.math.bme.hu>
             Finger korn@chardonnay.math.bme.hu for pgp key. QOTD:
          Twisted mind?  No...just bent in several strategic places.




<strong>Tags added: security</strong>
Request was from <code>&quot;KORN Andras&quot; &lt;korn@chardonnay.math.bme.hu&gt;</code>
to <code>control@bugs.debian.org</code>. 


Received: (at control) by bugs.debian.org; 17 Aug 2002 18:25:33 +0000
From korn@chardonnay.math.bme.hu Sat Aug 17 13:25:33 2002
Return-path: <korn@chardonnay.math.bme.hu>
Received: from chardonnay.math.bme.hu [152.66.83.144] ([d/0As9BUnb2KKmYqaQNWTj65t+t9bVMW])
	by master.debian.org with smtp (Exim 3.12 1 (Debian))
	id 17g8GS-0001jd-00; Sat, 17 Aug 2002 13:25:32 -0500
Received: (qmail 6048 invoked from network); 17 Aug 2002 18:25:30 -0000
Received: from localhost (HELO hellgate.intra.guy) (?NRZAo3pcHgjY7nz6t9VVspXHajPE3eze?@127.0.0.1)
  by localhost with SMTP; 17 Aug 2002 18:25:30 -0000
Received: (qmail 4808 invoked by uid 1000); 17 Aug 2002 18:25:29 -0000
From: "KORN Andras" <korn@chardonnay.math.bme.hu>
Date: Sat, 17 Aug 2002 20:25:28 +0200
To: Matt Zimmerman <mdz@debian.org>, 42630@bugs.debian.org,
  Martin Michlmayr <tbm@cyrius.com>, control@bugs.debian.org
Subject: Re: Bug#42630: grep: Potential security risk: control characters in filenames are printed without filtering.
Message-ID: <20020817182528.GA30876@hellgate.intra.guy>
References: <20020812231757.A10293@fisch.cyrius.com> <20020813005630.GA19807@alcor.net>
Mime-Version: 1.0
Content-Type: text/plain; charset=iso-8859-2
Content-Disposition: inline
In-Reply-To: <20020813005630.GA19807@alcor.net>
User-Agent: Mutt/1.3.28i
Organization: Technical University of Budapest, Department of Calculus
Delivered-To: control@bugs.debian.org

severity 42630 wishlist
retitle 42630 Filter non-printable characters from filenames before printing them
tags 42630 security
thanks

> > if you create a file named ^G (ctrl-g) and do something like grep foo * in
> > the directory where the file resides, you will hear a beep when grep
> > prints the line
> > 
> > ^G:foo
> > 
> > (naturally only if ^G contained 'foo').
> > 
> > A malicious user could create a file whose name contains more harmful
> > control characters and wait for another user to grep for a string that
> > file contains.
> >
> > I admit this is a long shot, but still: filenames should be filtered and
> > control characters removed before the name of the file is printed.
> 
> The file could just as easily have control characters within its data as in
> its filename.  Replace 'grep' with 'cat' and this still holds true.  It is
> not grep's responsibility to filter its output; indeed, it would surely
> break many scripts if it were to do so.  Moreover, it cannot (and should
> not) know the effect of every possible control sequence for every terminal
> type.
> 
> If you are concerned about potentially hostile information being written to
> your terminal, pipe the output through a pager which can filter all control
> characters, like less.
> 
> This bug should be closed.

I agree that the bug should be downgraded (and indeed I'm doing that now),
but I don't fully agree with your arguments.

I think that file names are less suspected of containing harmful sequences
than the files themselves; while many of us know that it is not safe to
'cat' an unknown file, a lot fewer people would think twice before doing a
'grep foo *' in a directory.

I believe 'grep' (and other tools that print filenames) should replace
potentially dangerous characters with an escape sequence before outputting
them; an option to turn this behaviour off should, of course, be provided.
'ls' already does something similar. Some shells do too, when expanding
filenames in the command-line editor.

The locale settings (which grep needs to be aware of anyway) provide a good
way of finding out what characters are 'printable' in the current locale.

I don't think such a modification would break many scripts, because not many
nonprintable characters are normally present in filenames.

Andrew

-- 
            Andrew Korn (Korn Andras) <korn@chardonnay.math.bme.hu>
             Finger korn@chardonnay.math.bme.hu for pgp key. QOTD:
          Twisted mind?  No...just bent in several strategic places.




<strong>Information forwarded</strong> to <code>debian-bugs-dist@lists.debian.org, Robert van der Meulen &lt;rvdm@debian.org&gt;, grep@packages.qa.debian.org</code>:<br>
<code>Bug#42630</code>; Package <code>grep</code>.


debian-bugs-dist@lists.debian.orgRobert van der Meulen <rvdm@debian.org>grep@packages.qa.debian.org

X-Loop: owner@bugs.debian.org
Subject: Bug#42630: grep: Potential security risk: control characters in filenames are printed without filtering.
Reply-To: Matt Zimmerman <mdz@debian.org>, 42630@bugs.debian.org
Resent-From: Matt Zimmerman <mdz@debian.org>
Original-Sender: Matt Zimmerman <mdz@alcor.net>
Resent-To: debian-bugs-dist@lists.debian.org
Resent-CC: Robert van der Meulen <rvdm@debian.org>, grep@packages.qa.debian.org
Resent-Date: Sat, 17 Aug 2002 21:48:04 GMT
Resent-Message-ID: <handler.42630.B42630.102962055314271@bugs.debian.org>
Resent-Sender: owner@bugs.debian.org
X-Debian-PR-Message: report 42630
X-Debian-PR-Package: grep
X-Debian-PR-Keywords: security
Received: via spool by 42630-submit@bugs.debian.org id=B42630.102962055314271
          (code B ref 42630); Sat, 17 Aug 2002 21:48:04 GMT
Date: Sat, 17 Aug 2002 17:42:26 -0400
From: Matt Zimmerman <mdz@debian.org>
To: KORN Andras <korn@chardonnay.math.bme.hu>
Cc: 42630@bugs.debian.org, Martin Michlmayr <tbm@cyrius.com>
Message-ID: <20020817214226.GF804@alcor.net>
References: <20020812231757.A10293@fisch.cyrius.com> <20020813005630.GA19807@alcor.net> <20020817182528.GA30876@hellgate.intra.guy>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <20020817182528.GA30876@hellgate.intra.guy>
User-Agent: Mutt/1.4i
Sender: Matt Zimmerman <mdz@alcor.net>
Delivered-To: 42630@bugs.debian.org

tags 42630 - security
thanks

On Sat, Aug 17, 2002 at 08:25:28PM +0200, KORN Andras wrote:

> I agree that the bug should be downgraded (and indeed I'm doing that now),
> but I don't fully agree with your arguments.
> 
> I think that file names are less suspected of containing harmful sequences
> than the files themselves; while many of us know that it is not safe to
> 'cat' an unknown file, a lot fewer people would think twice before doing a
> 'grep foo *' in a directory.

To assume that the grep operation is safe, while the cat operation is not,
would be unwise to say the least.  Both of those operations, when used in a
potantially hostile directory, read untrusted data and write it to stdout
(including a terminal).

> I believe 'grep' (and other tools that print filenames) should replace
> potentially dangerous characters with an escape sequence before outputting
> them; an option to turn this behaviour off should, of course, be provided.

In the event that such an option were implemented, it would be ludicrous to
enable it by default unless the output file descriptor is a terminal.  Even
then, it is questionable.  To do otherwise would gratuitously break simple,
reasonable constructs such as this:

for filename in "`grep -l pattern files...`"; do
	...operate on $filename...
doen

> 'ls' already does something similar. Some shells do too, when expanding
> filenames in the command-line editor.
> The locale settings (which grep needs to be aware of anyway) provide a good
> way of finding out what characters are 'printable' in the current locale.

ls(1) does this in an attempt to prevent its output from being corrupted
when displayed on a terminal, not because it pretends to shield the user
from a potential security hazard.  Likewise for shells, which do this to
make odd filenames more convenient to work with by automatically quoting
them.  This is the exception, and not the rule.

Even within fileutils, for example, du(1) does no such filtering on its
output.  Nor does find(1) or xargs(1), though they deal even more directly
with individual filenames.

This is not a security bug, but a request for a convenience feature.

-- 
 - mdz




<strong>Acknowledgement sent</strong> to <code>Matt Zimmerman &lt;mdz@debian.org&gt;</code>:<br>
Extra info received and forwarded to list.  Copy sent to <code>Robert van der Meulen &lt;rvdm@debian.org&gt;, grep@packages.qa.debian.org</code>.


-t

X-Loop: owner@bugs.debian.org
From: owner@bugs.debian.org (Debian Bug Tracking System)
To: Matt Zimmerman <mdz@debian.org>
Subject: Bug#42630: Info received (was Bug#42630: grep: Potential security risk: control characters in filenames are printed without filtering.)
Message-ID: <handler.42630.B42630.102962055314271.ackinfo@bugs.debian.org>
In-Reply-To: <20020817214226.GF804@alcor.net>
References: <20020817214226.GF804@alcor.net>
X-Debian-PR-Message: ack-info 42630
X-Reply-To-disabled-by-doogie-because-it-can-wreak-havoc: 42630@bugs.debian.org

Thank you for the additional information you have supplied regarding
this problem report.  It has been forwarded to the developer(s) and
to the developers mailing list to accompany the original report.

Your message has been sent to the package maintainer(s):
 Robert van der Meulen <rvdm@debian.org>

If you wish to continue to submit further information on your problem,
please send it to 42630@bugs.debian.org, as before.

Please do not reply to the address at the top of this message,
unless you wish to report a problem with the Bug-tracking system.

Debian bug tracking system administrator
(administrator, Debian Bugs database)



Received: (at 42630) by bugs.debian.org; 17 Aug 2002 21:42:33 +0000
From mdz@csh.rit.edu Sat Aug 17 16:42:33 2002
Return-path: <mdz@csh.rit.edu>
Received: from smtp01.mrf.mail.rcn.net [207.172.4.60] 
	by master.debian.org with esmtp (Exim 3.12 1 (Debian))
	id 17gBL6-0003hx-00; Sat, 17 Aug 2002 16:42:32 -0500
Received: from 209-6-103-23.c3-0.smr-ubr1.sbo-smr.ma.cable.rcn.com ([209.6.103.23] helo=mizar.alcor.net)
	by smtp01.mrf.mail.rcn.net with esmtp (Exim 3.35 #6)
	id 17gBL5-0007Ff-00; Sat, 17 Aug 2002 17:42:31 -0400
Received: from mdz by mizar.alcor.net with local (Exim 3.35 #1 (Debian))
	id 17gBL0-0002ds-00; Sat, 17 Aug 2002 17:42:26 -0400
Date: Sat, 17 Aug 2002 17:42:26 -0400
From: Matt Zimmerman <mdz@debian.org>
To: KORN Andras <korn@chardonnay.math.bme.hu>
Cc: 42630@bugs.debian.org, Martin Michlmayr <tbm@cyrius.com>
Subject: Re: Bug#42630: grep: Potential security risk: control characters in filenames are printed without filtering.
Message-ID: <20020817214226.GF804@alcor.net>
References: <20020812231757.A10293@fisch.cyrius.com> <20020813005630.GA19807@alcor.net> <20020817182528.GA30876@hellgate.intra.guy>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <20020817182528.GA30876@hellgate.intra.guy>
User-Agent: Mutt/1.4i
Sender: Matt Zimmerman <mdz@alcor.net>
Delivered-To: 42630@bugs.debian.org

tags 42630 - security
thanks

On Sat, Aug 17, 2002 at 08:25:28PM +0200, KORN Andras wrote:

> I agree that the bug should be downgraded (and indeed I'm doing that now),
> but I don't fully agree with your arguments.
> 
> I think that file names are less suspected of containing harmful sequences
> than the files themselves; while many of us know that it is not safe to
> 'cat' an unknown file, a lot fewer people would think twice before doing a
> 'grep foo *' in a directory.

To assume that the grep operation is safe, while the cat operation is not,
would be unwise to say the least.  Both of those operations, when used in a
potantially hostile directory, read untrusted data and write it to stdout
(including a terminal).

> I believe 'grep' (and other tools that print filenames) should replace
> potentially dangerous characters with an escape sequence before outputting
> them; an option to turn this behaviour off should, of course, be provided.

In the event that such an option were implemented, it would be ludicrous to
enable it by default unless the output file descriptor is a terminal.  Even
then, it is questionable.  To do otherwise would gratuitously break simple,
reasonable constructs such as this:

for filename in "`grep -l pattern files...`"; do
	...operate on $filename...
doen

> 'ls' already does something similar. Some shells do too, when expanding
> filenames in the command-line editor.
> The locale settings (which grep needs to be aware of anyway) provide a good
> way of finding out what characters are 'printable' in the current locale.

ls(1) does this in an attempt to prevent its output from being corrupted
when displayed on a terminal, not because it pretends to shield the user
from a potential security hazard.  Likewise for shells, which do this to
make odd filenames more convenient to work with by automatically quoting
them.  This is the exception, and not the rule.

Even within fileutils, for example, du(1) does no such filtering on its
output.  Nor does find(1) or xargs(1), though they deal even more directly
with individual filenames.

This is not a security bug, but a request for a convenience feature.

-- 
 - mdz




<strong>Tags removed: security</strong>
Request was from <code>Matt Zimmerman &lt;mdz@debian.org&gt;</code>
to <code>control@bugs.debian.org</code>. 


Received: (at control) by bugs.debian.org; 17 Aug 2002 21:42:33 +0000
From mdz@csh.rit.edu Sat Aug 17 16:42:33 2002
Return-path: <mdz@csh.rit.edu>
Received: from smtp01.mrf.mail.rcn.net [207.172.4.60] 
	by master.debian.org with esmtp (Exim 3.12 1 (Debian))
	id 17gBL6-0003hx-00; Sat, 17 Aug 2002 16:42:32 -0500
Received: from 209-6-103-23.c3-0.smr-ubr1.sbo-smr.ma.cable.rcn.com ([209.6.103.23] helo=mizar.alcor.net)
	by smtp01.mrf.mail.rcn.net with esmtp (Exim 3.35 #6)
	id 17gBL5-0007Ff-00; Sat, 17 Aug 2002 17:42:31 -0400
Received: from mdz by mizar.alcor.net with local (Exim 3.35 #1 (Debian))
	id 17gBL0-0002ds-00; Sat, 17 Aug 2002 17:42:26 -0400
Date: Sat, 17 Aug 2002 17:42:26 -0400
From: Matt Zimmerman <mdz@debian.org>
To: KORN Andras <korn@chardonnay.math.bme.hu>
Cc: 42630@bugs.debian.org, Martin Michlmayr <tbm@cyrius.com>
Subject: Re: Bug#42630: grep: Potential security risk: control characters in filenames are printed without filtering.
Message-ID: <20020817214226.GF804@alcor.net>
References: <20020812231757.A10293@fisch.cyrius.com> <20020813005630.GA19807@alcor.net> <20020817182528.GA30876@hellgate.intra.guy>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <20020817182528.GA30876@hellgate.intra.guy>
User-Agent: Mutt/1.4i
Sender: Matt Zimmerman <mdz@alcor.net>
Delivered-To: control@bugs.debian.org

tags 42630 - security
thanks

On Sat, Aug 17, 2002 at 08:25:28PM +0200, KORN Andras wrote:

> I agree that the bug should be downgraded (and indeed I'm doing that now),
> but I don't fully agree with your arguments.
> 
> I think that file names are less suspected of containing harmful sequences
> than the files themselves; while many of us know that it is not safe to
> 'cat' an unknown file, a lot fewer people would think twice before doing a
> 'grep foo *' in a directory.

To assume that the grep operation is safe, while the cat operation is not,
would be unwise to say the least.  Both of those operations, when used in a
potantially hostile directory, read untrusted data and write it to stdout
(including a terminal).

> I believe 'grep' (and other tools that print filenames) should replace
> potentially dangerous characters with an escape sequence before outputting
> them; an option to turn this behaviour off should, of course, be provided.

In the event that such an option were implemented, it would be ludicrous to
enable it by default unless the output file descriptor is a terminal.  Even
then, it is questionable.  To do otherwise would gratuitously break simple,
reasonable constructs such as this:

for filename in "`grep -l pattern files...`"; do
	...operate on $filename...
doen

> 'ls' already does something similar. Some shells do too, when expanding
> filenames in the command-line editor.
> The locale settings (which grep needs to be aware of anyway) provide a good
> way of finding out what characters are 'printable' in the current locale.

ls(1) does this in an attempt to prevent its output from being corrupted
when displayed on a terminal, not because it pretends to shield the user
from a potential security hazard.  Likewise for shells, which do this to
make odd filenames more convenient to work with by automatically quoting
them.  This is the exception, and not the rule.

Even within fileutils, for example, du(1) does no such filtering on its
output.  Nor does find(1) or xargs(1), though they deal even more directly
with individual filenames.

This is not a security bug, but a request for a convenience feature.

-- 
 - mdz




<strong>Information forwarded</strong> to <code>debian-bugs-dist@lists.debian.org, Robert van der Meulen &lt;rvdm@debian.org&gt;, grep@packages.qa.debian.org</code>:<br>
<code>Bug#42630</code>; Package <code>grep</code>.


debian-bugs-dist@lists.debian.orgRobert van der Meulen <rvdm@debian.org>grep@packages.qa.debian.org

X-Loop: owner@bugs.debian.org
Subject: Bug#42630: grep: Potential security risk: control characters in filenames are printed without filtering.
Reply-To: "KORN Andras" <korn@chardonnay.math.bme.hu>, 42630@bugs.debian.org
Resent-From: "KORN Andras" <korn@chardonnay.math.bme.hu>
Resent-To: debian-bugs-dist@lists.debian.org
Resent-CC: Robert van der Meulen <rvdm@debian.org>, grep@packages.qa.debian.org
Resent-Date: Sun, 18 Aug 2002 08:48:01 GMT
Resent-Message-ID: <handler.42630.B42630.10296595887426@bugs.debian.org>
Resent-Sender: owner@bugs.debian.org
X-Debian-PR-Message: report 42630
X-Debian-PR-Package: grep
X-Debian-PR-Keywords: 
Received: via spool by 42630-submit@bugs.debian.org id=B42630.10296595887426
          (code B ref 42630); Sun, 18 Aug 2002 08:48:01 GMT
From: "KORN Andras" <korn@chardonnay.math.bme.hu>
Date: Sun, 18 Aug 2002 10:33:02 +0200
To: Matt Zimmerman <mdz@debian.org>
Cc: 42630@bugs.debian.org
Message-ID: <20020818083302.GA32533@hellgate.intra.guy>
References: <20020812231757.A10293@fisch.cyrius.com> <20020813005630.GA19807@alcor.net> <20020817182528.GA30876@hellgate.intra.guy> <20020817214226.GF804@alcor.net>
Mime-Version: 1.0
Content-Type: text/plain; charset=iso-8859-2
Content-Disposition: inline
In-Reply-To: <20020817214226.GF804@alcor.net>
User-Agent: Mutt/1.3.28i
Organization: Technical University of Budapest, Department of Calculus
Delivered-To: 42630@bugs.debian.org

On Sat, Aug 17, 2002 at 05:42:26PM -0400, Matt Zimmerman wrote:

> To assume that the grep operation is safe, while the cat operation is not,
> would be unwise to say the least.  Both of those operations, when used in a
> potantially hostile directory, read untrusted data and write it to stdout
> (including a terminal).

There is no need to convince me of this. I was trying to explain that people
don't think about those operations the same way, but apparently I wasn't
bein good at it.

> > I believe 'grep' (and other tools that print filenames) should replace
> > potentially dangerous characters with an escape sequence before outputting
> > them; an option to turn this behaviour off should, of course, be provided.
> In the event that such an option were implemented, it would be ludicrous to
> enable it by default unless the output file descriptor is a terminal.

Naturally. I thought this was obvious.

>  Even then, it is questionable.  To do otherwise would gratuitously break
> simple, reasonable constructs such as this:
> 
> for filename in "`grep -l pattern files...`"; do
> 	...operate on $filename...
> doen

It wouldn't, because the output descriptor is not a terminal, and because
filenames _generally_ do not contain nonprintable characters (which is a
point you keep ignoring).

You haven't yet named a single case where such a filtering, as a new
default, would break scripts because grep writes to a terminal.

> > 'ls' already does something similar. Some shells do too, when expanding
> > filenames in the command-line editor.
> > The locale settings (which grep needs to be aware of anyway) provide a good
> > way of finding out what characters are 'printable' in the current locale.
> ls(1) does this in an attempt to prevent its output from being corrupted
> when displayed on a terminal, not because it pretends to shield the user
> from a potential security hazard.

Nevertheless, that is a welcome side effect.

>  Likewise for shells, which do this to
> make odd filenames more convenient to work with by automatically quoting
> them.  This is the exception, and not the rule.

And why do you think this condition has to prevail?

> Even within fileutils, for example, du(1) does no such filtering on its
> output.  Nor does find(1) or xargs(1), though they deal even more directly
> with individual filenames.

xargs doesn't normally print the filenames it gets on a terminal. 'du' and
'find' should, imho, do the same filtering I expect from grep (yes,
obviously only when writing to a terminal).

> This is not a security bug, but a request for a convenience feature.

I fail to see how it would make grep more convenient, but feel free to
enlighten me.

Anyway, this issue isn't worth arguing any further about; I don't think
realistic exploits of this problem will surface in the foreseeable future.
It would just have been something worth fixing to maintain a consistently
high quality standard.

Andrew

-- 
            Andrew Korn (Korn Andras) <korn@chardonnay.math.bme.hu>
             Finger korn@chardonnay.math.bme.hu for pgp key. QOTD:
             Dumb luck beats sound planning every time. Trust me.




<strong>Acknowledgement sent</strong> to <code>&quot;KORN Andras&quot; &lt;korn@chardonnay.math.bme.hu&gt;</code>:<br>
Extra info received and forwarded to list.  Copy sent to <code>Robert van der Meulen &lt;rvdm@debian.org&gt;, grep@packages.qa.debian.org</code>.


-t

X-Loop: owner@bugs.debian.org
From: owner@bugs.debian.org (Debian Bug Tracking System)
To: "KORN Andras" <korn@chardonnay.math.bme.hu>
Subject: Bug#42630: Info received (was Bug#42630: grep: Potential security risk: control characters in filenames are printed without filtering.)
Message-ID: <handler.42630.B42630.10296595887426.ackinfo@bugs.debian.org>
In-Reply-To: <20020818083302.GA32533@hellgate.intra.guy>
References: <20020818083302.GA32533@hellgate.intra.guy>
X-Debian-PR-Message: ack-info 42630
X-Reply-To-disabled-by-doogie-because-it-can-wreak-havoc: 42630@bugs.debian.org

Thank you for the additional information you have supplied regarding
this problem report.  It has been forwarded to the developer(s) and
to the developers mailing list to accompany the original report.

Your message has been sent to the package maintainer(s):
 Robert van der Meulen <rvdm@debian.org>

If you wish to continue to submit further information on your problem,
please send it to 42630@bugs.debian.org, as before.

Please do not reply to the address at the top of this message,
unless you wish to report a problem with the Bug-tracking system.

Debian bug tracking system administrator
(administrator, Debian Bugs database)



Received: (at 42630) by bugs.debian.org; 18 Aug 2002 08:33:08 +0000
From korn@chardonnay.math.bme.hu Sun Aug 18 03:33:08 2002
Return-path: <korn@chardonnay.math.bme.hu>
Received: from chardonnay.math.bme.hu [152.66.83.144] ([sTKY47IDL//Dsneip+e5TtU68p6rI8Aa])
	by master.debian.org with smtp (Exim 3.12 1 (Debian))
	id 17gLUi-0001va-00; Sun, 18 Aug 2002 03:33:08 -0500
Received: (qmail 25898 invoked from network); 18 Aug 2002 08:33:05 -0000
Received: from localhost (HELO hellgate.intra.guy) (?ey8a4eZkaVM3hxJjv36NHTXKLOi1WoVD?@127.0.0.1)
  by localhost with SMTP; 18 Aug 2002 08:33:05 -0000
Received: (qmail 28843 invoked by uid 1000); 18 Aug 2002 08:33:03 -0000
From: "KORN Andras" <korn@chardonnay.math.bme.hu>
Date: Sun, 18 Aug 2002 10:33:02 +0200
To: Matt Zimmerman <mdz@debian.org>
Cc: 42630@bugs.debian.org
Subject: Re: Bug#42630: grep: Potential security risk: control characters in filenames are printed without filtering.
Message-ID: <20020818083302.GA32533@hellgate.intra.guy>
References: <20020812231757.A10293@fisch.cyrius.com> <20020813005630.GA19807@alcor.net> <20020817182528.GA30876@hellgate.intra.guy> <20020817214226.GF804@alcor.net>
Mime-Version: 1.0
Content-Type: text/plain; charset=iso-8859-2
Content-Disposition: inline
In-Reply-To: <20020817214226.GF804@alcor.net>
User-Agent: Mutt/1.3.28i
Organization: Technical University of Budapest, Department of Calculus
Delivered-To: 42630@bugs.debian.org

On Sat, Aug 17, 2002 at 05:42:26PM -0400, Matt Zimmerman wrote:

> To assume that the grep operation is safe, while the cat operation is not,
> would be unwise to say the least.  Both of those operations, when used in a
> potantially hostile directory, read untrusted data and write it to stdout
> (including a terminal).

There is no need to convince me of this. I was trying to explain that people
don't think about those operations the same way, but apparently I wasn't
bein good at it.

> > I believe 'grep' (and other tools that print filenames) should replace
> > potentially dangerous characters with an escape sequence before outputting
> > them; an option to turn this behaviour off should, of course, be provided.
> In the event that such an option were implemented, it would be ludicrous to
> enable it by default unless the output file descriptor is a terminal.

Naturally. I thought this was obvious.

>  Even then, it is questionable.  To do otherwise would gratuitously break
> simple, reasonable constructs such as this:
> 
> for filename in "`grep -l pattern files...`"; do
> 	...operate on $filename...
> doen

It wouldn't, because the output descriptor is not a terminal, and because
filenames _generally_ do not contain nonprintable characters (which is a
point you keep ignoring).

You haven't yet named a single case where such a filtering, as a new
default, would break scripts because grep writes to a terminal.

> > 'ls' already does something similar. Some shells do too, when expanding
> > filenames in the command-line editor.
> > The locale settings (which grep needs to be aware of anyway) provide a good
> > way of finding out what characters are 'printable' in the current locale.
> ls(1) does this in an attempt to prevent its output from being corrupted
> when displayed on a terminal, not because it pretends to shield the user
> from a potential security hazard.

Nevertheless, that is a welcome side effect.

>  Likewise for shells, which do this to
> make odd filenames more convenient to work with by automatically quoting
> them.  This is the exception, and not the rule.

And why do you think this condition has to prevail?

> Even within fileutils, for example, du(1) does no such filtering on its
> output.  Nor does find(1) or xargs(1), though they deal even more directly
> with individual filenames.

xargs doesn't normally print the filenames it gets on a terminal. 'du' and
'find' should, imho, do the same filtering I expect from grep (yes,
obviously only when writing to a terminal).

> This is not a security bug, but a request for a convenience feature.

I fail to see how it would make grep more convenient, but feel free to
enlighten me.

Anyway, this issue isn't worth arguing any further about; I don't think
realistic exploits of this problem will surface in the foreseeable future.
It would just have been something worth fixing to maintain a consistently
high quality standard.

Andrew

-- 
            Andrew Korn (Korn Andras) <korn@chardonnay.math.bme.hu>
             Finger korn@chardonnay.math.bme.hu for pgp key. QOTD:
             Dumb luck beats sound planning every time. Trust me.




<strong>Changed Bug submitter from korn@eik.bme.hu to Andras Korn &lt;korn-debbugs@chardonnay.math.bme.hu&gt;.</strong>
Request was from <code>Andras Korn &lt;korn-debbugs@chardonnay.math.bme.hu&gt;</code>
to <code>control@bugs.debian.org</code>. 


Received: (at control) by bugs.debian.org; 18 Sep 2003 21:46:47 +0000
From korn-control=bugs.debian.org@chardonnay.math.bme.hu Thu Sep 18 16:46:13 2003
Return-path: <korn-control=bugs.debian.org@chardonnay.math.bme.hu>
Received: from chardonnay.math.bme.hu [152.66.83.144] 
	by master.debian.org with smtp (Exim 3.35 1 (Debian))
	id 1A06bN-0003Kd-00; Thu, 18 Sep 2003 16:46:13 -0500
Received: (qmail 23993 invoked by uid 1000); 18 Sep 2003 21:46:12 -0000
Date: Thu, 18 Sep 2003 23:46:12 +0200
From: Andras Korn <korn-debbugs@chardonnay.math.bme.hu>
To: control@bugs.debian.org
Subject: change of email address
Message-ID: <20030918214611.GA18900@chardonnay.math.bme.hu>
Mime-Version: 1.0
Content-Type: text/plain; charset=iso-8859-2
Content-Disposition: inline
Organization: Technical University of Budapest, Department of Calculus
User-Agent: Mutt/1.5.4i
Delivered-To: control@bugs.debian.org
X-Spam-Status: No, hits=0.0 required=4.0
	tests=none
	version=2.53-bugs.debian.org_2003_9_16
X-Spam-Level: 
X-Spam-Checker-Version: SpamAssassin 2.53-bugs.debian.org_2003_9_16 (1.174.2.15-2003-03-30-exp)

submitter 78782 !
submitter 148751 !
submitter 46376 !
submitter 48555 !
submitter 56546 !
submitter 60405 !
submitter 66032 !
submitter 103820 !
submitter 106224 !
submitter 112555 !
submitter 120399 !
submitter 120503 !
submitter 148492 !
submitter 149460 !
submitter 149897 !
submitter 164615 !
submitter 60737 !
submitter 80633 !
submitter 148808 !
submitter 164155 !
submitter 66031 !
submitter 80343 !
submitter 86539 !
submitter 94350 !
submitter 96057 !
submitter 109687 !
submitter 111689 !
submitter 116171 !
submitter 122137 !
submitter 148752 !
submitter 149395 !
submitter 186013 !
submitter 45998 !
submitter 58861 !
submitter 81315 !
submitter 44749 !
submitter 108492 !
submitter 42631 !
submitter 41554 !
submitter 42630 !
submitter 43594 !
submitter 43593 !
thanks

Trying to keep some of the spammers out...

-- 
          Andrew Korn (Korn Andras) <korn at chardonnay.math.bme.hu>
           Finger korn at chardonnay.math.bme.hu for pgp key. QOTD:
                           Never trust an engineer!




<strong>Information forwarded</strong> to <code>debian-bugs-dist@lists.debian.org, Anibal Monsalve Salazar &lt;anibal@debian.org&gt;</code>:<br>
<code>Bug#42630</code>; Package <code>grep</code>.


debian-bugs-dist@lists.debian.orgAnibal Monsalve Salazar <anibal@debian.org>

X-Loop: owner@bugs.debian.org
Subject: Bug#42630: grep: Potential security risk: control characters in filenames are printed without filtering.
Reply-To: Vincent Lefevre <vincent@vinc17.org>, 42630@bugs.debian.org
Resent-From: Vincent Lefevre <vincent@vinc17.org>
Resent-To: debian-bugs-dist@lists.debian.org
Resent-CC: Anibal Monsalve Salazar <anibal@debian.org>
Resent-Date: Tue, 09 Sep 2008 10:51:01 +0000
Resent-Message-ID: <handler.42630.B42630.12209573953421@bugs.debian.org>
Resent-Sender: owner@bugs.debian.org
X-Debian-PR-Message: followup 42630
X-Debian-PR-Package: grep
X-Debian-PR-Keywords: 
X-Debian-PR-Source: grep
Received: via spool by 42630-submit@bugs.debian.org id=B42630.12209573953421
          (code B ref 42630); Tue, 09 Sep 2008 10:51:01 +0000
Received: (at 42630) by bugs.debian.org; 9 Sep 2008 10:49:55 +0000
X-Spam-Checker-Version: SpamAssassin 3.2.3-bugs.debian.org_2005_01_02
	(2007-08-08) on rietz.debian.org
X-Spam-Level: 
X-Spam-Bayes: score:0.0000 Tokens: new, 41; hammy, 145; neutral, 131; spammy,
	6. spammytokens:0.993-1--sk:ametzle, 0.993-1--U*ametzler, 0.987-1--costa,
	0.987-1--HTo:D*hu, 0.987-1--hostile hammytokens:0.000-+--H*u:Mutt,
	0.000-+--grep, 0.000-+--H*UA:Mutt, 0.000-+--typo, 0.000-+--upstream
X-Spam-Status: No, score=-6.9 required=4.0 tests=BAYES_00,FOURLA,
	HAS_BUG_NUMBER autolearn=ham version=3.2.3-bugs.debian.org_2005_01_02
Received: from vinc17.pck.nerim.net ([213.41.242.187] helo=prunille.vinc17.org)
	by rietz.debian.org with esmtp (Exim 4.63)
	(envelope-from <vincent@vinc17.org>)
	id 1Kd0nD-0000sN-AK
	for 42630@bugs.debian.org; Tue, 09 Sep 2008 10:49:55 +0000
Received: by prunille.vinc17.org (Postfix, from userid 501)
	id 8D14C28C5A9A; Tue,  9 Sep 2008 12:49:53 +0200 (CEST)
Date: Tue, 9 Sep 2008 12:49:53 +0200
From: Vincent Lefevre <vincent@vinc17.org>
To: KORN Andras <korn@chardonnay.math.bme.hu>
Cc: Matt Zimmerman <mdz@debian.org>, 42630@bugs.debian.org
Message-ID: <20080909104953.GA13043@prunille.vinc17.org>
References: <20020812231757.A10293@fisch.cyrius.com> <20020813005630.GA19807@alcor.net> <20020817182528.GA30876@hellgate.intra.guy> <20020817214226.GF804@alcor.net> <20020818083302.GA32533@hellgate.intra.guy>
MIME-Version: 1.0
Content-Type: text/plain; charset=iso-8859-1
Content-Disposition: inline
In-Reply-To: <20020818083302.GA32533@hellgate.intra.guy>
X-Mailer-Info: http://www.vinc17.org/mutt/
User-Agent: Mutt/1.5.18-vl-r23999 (2008-08-31)
Content-Transfer-Encoding: quoted-printable

On 2002-08-18 10:33:02 +0200, KORN Andras wrote:
> On Sat, Aug 17, 2002 at 05:42:26PM -0400, Matt Zimmerman wrote:
> > To assume that the grep operation is safe, while the cat operation is=
 not,
> > would be unwise to say the least.  Both of those operations, when use=
d in a
> > potantially hostile directory, read untrusted data and write it to st=
dout
> > (including a terminal).

I've opened a new bug concerning the non-printable characters in the
file contents:

  http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=3D498336

> There is no need to convince me of this. I was trying to explain
> that people don't think about those operations the same way, but
> apparently I wasn't bein good at it.

I agree with you. In general, people use utilities such as "less" or
text editors to read file contents, not "cat". And when "cat" is used,
it is usually on some well-determined file, whereas "grep" is sometimes
used recursively, making it even more hazardous.

Another point is that non-printable characters can affect the coloring
done by grep itself, making any post-filtering more or less impossible.

> 'find' should, imho, do the same filtering I expect from grep (yes,
> obviously only when writing to a terminal).

It now does:

findutils (4.2.22-1) unstable; urgency=3Dlow

  * New upstream version
    - fixes infinite loop of "find -follow" on trees with symlinks to ./.
      (Closes: #313081)
    - better documentation for %k and %d printf directives. (Closes: #208=
307)
    - find filters out non-printable characters (which could mess up the
      terminal) when printing the output to a console. (Closes: #311384)
    - Typo fixes. (Closes: #301934, #312760, #312761) (Thanks, A Costa.)

 -- Andreas Metzler <ametzler@debian.org>  Mon, 13 Jun 2005 19:39:46 +020=
0

> Anyway, this issue isn't worth arguing any further about; I don't think
> realistic exploits of this problem will surface in the foreseeable futu=
re.

FYI, I already had the output of my terminal sent to a *shared* printer
due to a problem like this.

--=20
Vincent Lef=E8vre <vincent@vinc17.org> - Web: <http://www.vinc17.org/>
100% accessible validated (X)HTML - Blog: <http://www.vinc17.org/blog/>
Work: CR INRIA - computer arithmetic / Arenaire project (LIP, ENS-Lyon)





<strong>Acknowledgement sent</strong> to <code>Vincent Lefevre &lt;vincent@vinc17.org&gt;</code>:<br>
Extra info received and forwarded to list.  Copy sent to <code>Anibal Monsalve Salazar &lt;anibal@debian.org&gt;</code>.


-t

Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-Mailer: MIME-tools 5.420 (Entity 5.420)
Content-Type: text/plain; charset=utf-8
X-Loop: owner@bugs.debian.org
From: owner@bugs.debian.org (Debian Bug Tracking System)
To: Vincent Lefevre <vincent@vinc17.org>
Subject: Bug#42630: Info received (Bug#42630: grep: Potential security 
 risk: control characters in filenames are printed without filtering.)
Message-ID: <handler.42630.B42630.12209573953421.ackinfo@bugs.debian.org>
References: <20080909104953.GA13043@prunille.vinc17.org>
X-Debian-PR-Message: ack-info 42630
X-Debian-PR-Package: grep
X-Debian-PR-Source: grep
Reply-To: 42630@bugs.debian.org


Thank you for the additional information you have supplied regarding
this Bug report.

This is an automatically generated reply to let you know your message
has been received.

Your message is being forwarded to the package maintainers and other
interested parties for their attention; they will reply in due course.

Your message has been sent to the package maintainer(s):
 Anibal Monsalve Salazar <anibal@debian.org>

If you wish to submit further information on this problem, please
send it to 42630@bugs.debian.org, as before.

Please do not send mail to owner@bugs.debian.org unless you wish
to report a problem with the Bug-tracking system.


--=20
42630: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=3D42630
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems



Received: (at 42630) by bugs.debian.org; 9 Sep 2008 10:49:55 +0000
From vincent@vinc17.org Tue Sep 09 10:49:55 2008
X-Spam-Checker-Version: SpamAssassin 3.2.3-bugs.debian.org_2005_01_02
	(2007-08-08) on rietz.debian.org
X-Spam-Level: 
X-Spam-Bayes: score:0.0000 Tokens: new, 41; hammy, 145; neutral, 131; spammy,
	6. spammytokens:0.993-1--sk:ametzle, 0.993-1--U*ametzler, 0.987-1--costa,
	0.987-1--HTo:D*hu, 0.987-1--hostile hammytokens:0.000-+--H*u:Mutt,
	0.000-+--grep, 0.000-+--H*UA:Mutt, 0.000-+--typo, 0.000-+--upstream
X-Spam-Status: No, score=-6.9 required=4.0 tests=BAYES_00,FOURLA,
	HAS_BUG_NUMBER autolearn=ham version=3.2.3-bugs.debian.org_2005_01_02
Return-path: <vincent@vinc17.org>
Received: from vinc17.pck.nerim.net ([213.41.242.187] helo=prunille.vinc17.org)
	by rietz.debian.org with esmtp (Exim 4.63)
	(envelope-from <vincent@vinc17.org>)
	id 1Kd0nD-0000sN-AK
	for 42630@bugs.debian.org; Tue, 09 Sep 2008 10:49:55 +0000
Received: by prunille.vinc17.org (Postfix, from userid 501)
	id 8D14C28C5A9A; Tue,  9 Sep 2008 12:49:53 +0200 (CEST)
Date: Tue, 9 Sep 2008 12:49:53 +0200
From: Vincent Lefevre <vincent@vinc17.org>
To: KORN Andras <korn@chardonnay.math.bme.hu>
Cc: Matt Zimmerman <mdz@debian.org>, 42630@bugs.debian.org
Subject: Re: Bug#42630: grep: Potential security risk: control characters
	in filenames are printed without filtering.
Message-ID: <20080909104953.GA13043@prunille.vinc17.org>
References: <20020812231757.A10293@fisch.cyrius.com> <20020813005630.GA19807@alcor.net> <20020817182528.GA30876@hellgate.intra.guy> <20020817214226.GF804@alcor.net> <20020818083302.GA32533@hellgate.intra.guy>
MIME-Version: 1.0
Content-Type: text/plain; charset=iso-8859-1
Content-Disposition: inline
In-Reply-To: <20020818083302.GA32533@hellgate.intra.guy>
X-Mailer-Info: http://www.vinc17.org/mutt/
User-Agent: Mutt/1.5.18-vl-r23999 (2008-08-31)
Content-Transfer-Encoding: quoted-printable

On 2002-08-18 10:33:02 +0200, KORN Andras wrote:
> On Sat, Aug 17, 2002 at 05:42:26PM -0400, Matt Zimmerman wrote:
> > To assume that the grep operation is safe, while the cat operation is=
 not,
> > would be unwise to say the least.  Both of those operations, when use=
d in a
> > potantially hostile directory, read untrusted data and write it to st=
dout
> > (including a terminal).

I've opened a new bug concerning the non-printable characters in the
file contents:

  http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=3D498336

> There is no need to convince me of this. I was trying to explain
> that people don't think about those operations the same way, but
> apparently I wasn't bein good at it.

I agree with you. In general, people use utilities such as "less" or
text editors to read file contents, not "cat". And when "cat" is used,
it is usually on some well-determined file, whereas "grep" is sometimes
used recursively, making it even more hazardous.

Another point is that non-printable characters can affect the coloring
done by grep itself, making any post-filtering more or less impossible.

> 'find' should, imho, do the same filtering I expect from grep (yes,
> obviously only when writing to a terminal).

It now does:

findutils (4.2.22-1) unstable; urgency=3Dlow

  * New upstream version
    - fixes infinite loop of "find -follow" on trees with symlinks to ./.
      (Closes: #313081)
    - better documentation for %k and %d printf directives. (Closes: #208=
307)
    - find filters out non-printable characters (which could mess up the
      terminal) when printing the output to a console. (Closes: #311384)
    - Typo fixes. (Closes: #301934, #312760, #312761) (Thanks, A Costa.)

 -- Andreas Metzler <ametzler@debian.org>  Mon, 13 Jun 2005 19:39:46 +020=
0

> Anyway, this issue isn't worth arguing any further about; I don't think
> realistic exploits of this problem will surface in the foreseeable futu=
re.

FYI, I already had the output of my terminal sent to a *shared* printer
due to a problem like this.

--=20
Vincent Lef=E8vre <vincent@vinc17.org> - Web: <http://www.vinc17.org/>
100% accessible validated (X)HTML - Blog: <http://www.vinc17.org/blog/>
Work: CR INRIA - computer arithmetic / Arenaire project (LIP, ENS-Lyon)