On 2002-08-18 10:33:02 +0200, KORN Andras wrote: > On Sat, Aug 17, 2002 at 05:42:26PM -0400, Matt Zimmerman wrote: > > To assume that the grep operation is safe, while the cat operation is not, > > would be unwise to say the least. Both of those operations, when used in a > > potantially hostile directory, read untrusted data and write it to stdout > > (including a terminal).
I've opened a new bug concerning the non-printable characters in the file contents: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=498336 > There is no need to convince me of this. I was trying to explain > that people don't think about those operations the same way, but > apparently I wasn't bein good at it. I agree with you. In general, people use utilities such as "less" or text editors to read file contents, not "cat". And when "cat" is used, it is usually on some well-determined file, whereas "grep" is sometimes used recursively, making it even more hazardous. Another point is that non-printable characters can affect the coloring done by grep itself, making any post-filtering more or less impossible. > 'find' should, imho, do the same filtering I expect from grep (yes, > obviously only when writing to a terminal). It now does: findutils (4.2.22-1) unstable; urgency=low * New upstream version - fixes infinite loop of "find -follow" on trees with symlinks to ./. (Closes: #313081) - better documentation for %k and %d printf directives. (Closes: #208307) - find filters out non-printable characters (which could mess up the terminal) when printing the output to a console. (Closes: #311384) - Typo fixes. (Closes: #301934, #312760, #312761) (Thanks, A Costa.) -- Andreas Metzler <[EMAIL PROTECTED]> Mon, 13 Jun 2005 19:39:46 +0200 > Anyway, this issue isn't worth arguing any further about; I don't think > realistic exploits of this problem will surface in the foreseeable future. FYI, I already had the output of my terminal sent to a *shared* printer due to a problem like this. -- Vincent Lefèvre <[EMAIL PROTECTED]> - Web: <http://www.vinc17.org/> 100% accessible validated (X)HTML - Blog: <http://www.vinc17.org/blog/> Work: CR INRIA - computer arithmetic / Arenaire project (LIP, ENS-Lyon) -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

