Configuration Information [Automatically generated, do not change]: Machine: x86_64 OS: linux-gnu Compiler: gcc Compilation CFLAGS: -g -O2 -Werror=implicit-function-declaration -fstack-protector-strong -fstack-clash-protection -Wformat -Werror=format-security -fcf-protection -Wall uname output: Linux disset 7.0.10+deb14-amd64 #1 SMP PREEMPT_DYNAMIC Debian 7.0.10-1 (2026-05-27) x86_64 GNU/Linux Machine Type: x86_64-pc-linux-gnu
Bash Version: 5.3 Patch Level: 9 Release Status: release Description: bash can output non-printable characters to the terminal (such as escape sequences) in some error messages. This may be a security vulnerability if a user creates a file name with malicious escape sequences in it. Repeat-By: vlefevre@disset:~$ file=file$'\033'\[H$'\033'\[c$'\n'$'\b' vlefevre@disset:~$ touch "$file" vlefevre@disset:~$ chmod 0 "$file" vlefevre@disset:~$ : < "$file" The escape sequences are output to the terminal. Fix: The file name should be sanitized like what the GNU Coreutils and zsh (on this example) do. For instance: vlefevre@disset:~$ cat "$file" cat: 'file'$'\033''[H'$'\033''[c'$'\n\b': Permission denied and with zsh: disset% : < "$file" zsh: permission denied: file^[[H^[[c\n^H -- Vincent Lefèvre <[email protected]> - Web: <https://www.vinc17.net/> 100% accessible validated (X)HTML - Blog: <https://www.vinc17.net/blog/> Work: CR INRIA - computer arithmetic / Pascaline project (LIP, ENS-Lyon)
