Re: xterm terminal crash due to malicious character sequences in file name

["David A. Wheeler" <dwheeler () dwheeler com>]

> > > > On Wed, Aug 13, 2025 at 07:00:58PM +0200, Vincent Lefevre wrote:
> > > > > The following makes the xterm terminal crash
> > > > >
> > > > >  touch "$(printf "file\e[H\e[c\n\b")"
> > > > >  gunzip file*
> > > > >
> > > > > due to malicious character sequences in the file name and a bug
> > > > > in xterm. Same issue with bunzip2 instead of gunzip.
> > > >
> > > > I do not expect this to only happen with gunzip and bzip2.
> > > > Does this happen with any program that prints the filename without
> > > > any escaping, e.g., "echo file*", and most programs that print
> > > > the provided filename
...

On Aug 17, 2025, at 10:09 AM, Erik Auerswald <auerswal () unix-ag uni-kl de> wrote:
> I'd expect most programs to not change the filename printed in their
> output.  POSIX does not even expect "ls" to sanitize its output without
> "-q", but it does allow it[0].  Two more example programs that do not
> sanitize filenames in their output would be "file", at least version
> "5.41", and "dash", at least the version[1] included in Ubuntu GNU/Linux
> 22.04.5 LTS.  I'd expect that you can find many more examples.  Getting
> every program changed to follow your expectation seems like a Sisyphean
> task to me.
>
> Please note that I am not opposed to adding that feature to every
> existing and future program, it just seems foolish to rely on it, at
> least currently.

I agree. It'd be *much* more secure
if the operating simply prevented the creation of filenames
with certain names, e.g,. containing control characters and leading dashes.
I wrote an essay here specifically about this:
https://dwheeler.com/essays/fixing-unix-linux-filenames.html
See section 1.3, "Oh, and don’t display filenames. Filenames could contain
control characters that control the terminal (and X-windows), causing nasty 
side-effects on display. Displaying filenames can even cause a security vulnerability —
and who expects printing a filename to be a vulnerability?!?"
It's not a new problem, I knew about this in the 1980s and I'm sure others did too.

I proposed forbidding such characters to POSIX. They *did* add a few mechanisms to POSIX
to make it somewhat easier to handle filenames with control characters
(e.g., find -print0 and xargs -0). However, although they do not *require*
that operating systems allow these filenames, they are not forbidden either.

I have a draft Linux Security Module (LSM) that lets you determine
what kind of filenames are allowed to be created. By default it would require
non-control-chars, no leading '-', no trailing ' ', and UTF-8 encoding,
but it would let you configure further. I intend to go back to that
to finish it off & propose it. My original proposal merely prevented creation;
it would be possible to hide them entirely, but that comes with its own issues.

--- David A. Wheeler