bug#30535: Output buffer overwritten when CR in file

2018-02-19 Thread Wayne Gemmell 
Hi Paul

That is exactly what I am getting. It is probably acting quite correctly,
the problem is that the shell executing those control characters is both
confusing and a possible security risk. I've tried this in ksh, dash, bash
and zsh and they all execute the control characters.

I think that they should be suppressed or escaped by default and a flag
should be provided to allow them to be passed out unescaped. Maybe this has
become a feature request...



On Mon, 19 Feb 2018 at 22:13 Paul Eggert  wrote:

> Wayne Gemmell wrote:
> > I would expect the CR to be output verbatim
>
> It is output verbatim, just as you expect. For example:
>
> $ printf 'messag1\rlogin\rmask' >test.log
> 503-day $ grep --color=never login test.log | od -c
> 000   m   e   s   s   a   g   1  \r   l   o   g   i   n  \r   m   a
> 020   s   k  \n
> 023
>
-- 
Regards
Wayne

bug#30535: Output buffer overwritten when CR in file

2018-02-19 Thread Paul Eggert 

Wayne Gemmell wrote:

I would expect the CR to be output verbatim


It is output verbatim, just as you expect. For example:

$ printf 'messag1\rlogin\rmask' >test.log
503-day $ grep --color=never login test.log | od -c
000   m   e   s   s   a   g   1  \r   l   o   g   i   n  \r   m   a
020   s   k  \n
023

bug#30535: Output buffer overwritten when CR in file

2018-02-19 Thread Wayne Gemmell 
Hi

I have an issue with files that contain carriage returns. I have log files
that contain user input which sometime has carriage returns. The EOL
characters are fine so I can't throw mac2unix at the problem.

The issue is that when grep outputs the CR it follows the CR to the
beginning of the output buffer and overwrites the contents of the output
buffer.

E.g. the file, test.log with the following contents.

messag1^Mlogin^Mmask

The following command
$>/grep --color=never login test.log
Outputs as follows
$>maskng1

This seems like a security concern as you may be able to mask activity in
logs just by inserting CR in place. It would be superficial but it would
fool basic grep based logfile processing.

I would expect the CR to be output verbatim so as not to confuse the reader
of the output.


-- 
Regards
Wayne