URL:
<http://savannah.gnu.org/bugs/?17478>
Summary: in `-ls` mode, filenames not escaped in error
messages
Project: findutils
Submitted by: taviso
Submitted on: Saturday 08/19/2006 at 19:38
Category: find
Severity: 3 - Normal
Item Group: Wrong result
Status: None
Privacy: Public
Assigned to: None
Originator Name:
Originator Email:
Open/Closed: Open
Release: 4.2.28
Fixed Release: None
_______________________________________________________
Details:
The `UNUSUAL FILENAMES` section of the find man page indicates that the
actions `-ls`, `-fls`, etc. will safely sanitise filenames for display on a
terminal, however error messages are still unsaitised.
A malicious user who wanted to hide the location of a directory heirarchy
from an administrator could theoretically abuse this flaw to send the
terminal control characters to modify the output of find.
Reproduce:
$ mkdir test
$ for ((i=0;i<1024;i++)); do touch `printf "\a%d" $i`; done
$ rm * & find -ls
...
4056900 0 -rw-r--r-- 1 taviso users 0 Aug 19 21:36
./999\007\007
find: ./1000: No such file or directory
find: ./1001: No such file or directory
find: ./1002: No such file or directory
(ie, the error messages contain \a)
_______________________________________________________
Reply to this item at:
<http://savannah.gnu.org/bugs/?17478>
_______________________________________________
Message sent via/by Savannah
http://savannah.gnu.org/
_______________________________________________
Bug-findutils mailing list
[email protected]
http://lists.gnu.org/mailman/listinfo/bug-findutils
