Debian Bug report logs -
#311384
findutils: find should filter out non-printable characters
Toggle useless messages
Report forwarded to debian-bugs-dist@lists.debian.org, Andreas Metzler <ametzler@debian.org>:
Bug#311384; Package findutils.
(full text, mbox, link).
Acknowledgement sent to Vincent Lefevre <vincent@vinc17.org>:
New Bug report received and forwarded. Copy sent to Andreas Metzler <ametzler@debian.org>.
(full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Package: findutils
Version: 4.1.20-6
Severity: important
The "find" command should filter out non-printable characters when the
output stream (stdout or stderr) is attached to a terminal. Otherwise
escape sequences may be sent to the terminal, for instance when there
are filenames encoded in UTF-8 and the user has ISO-8859 locales. Also
$ touch "test`tput mc0`"
$ find .
will print some data if your terminal supports printing (e.g. xterm,
if this support hasn't been disabled by setting printerCommand to an
empty string). This is bad for the security/privacy as some malicious
user may create such a filename...
-- System Information:
Debian Release: 3.1
APT prefers unstable
APT policy: (500, 'unstable')
Architecture: i386 (i686)
Shell: /bin/sh linked to /bin/bash
Kernel: Linux 2.6.11.10-20050517
Locale: LANG=POSIX, LC_CTYPE=en_US.ISO8859-1 (charmap=ISO-8859-1)
Versions of packages findutils depends on:
ii libc6 2.3.2.ds1-22 GNU C Library: Shared libraries an
-- no debconf information
Message sent on to Vincent Lefevre <vincent@vinc17.org>:
Bug#311384.
(full text, mbox, link).
Message #10 received at 311384-submitter@bugs.debian.org (full text, mbox, reply):
URL:
<http://savannah.gnu.org/bugs/?func=detailitem&item_id=13303>
Summary: find should filter out non-printable characters if
outputting to tty
Project: findutils
Submitted by: ametzler
Submitted on: Son 05.06.2005 um 12:02
Category: find
Severity: 3 - Normal
Item Group: None
Status: None
Privacy: Public
Assigned to: None
Originator Name: Vincent Lefevre
Originator Email: 311384-submitter@bugs.debian.org
Open/Closed: Open
Release: 4.2.20
Fixed Release: None
_______________________________________________________
Details:
This is http://bugs.debian.org/311384 reported against the Debian bug
tracking system.
----------------------
Vincent Lefevre <vincent@vinc17.org> writes:
The "find" command should filter out non-printable characters when the output
stream (stdout or stderr) is attached to a terminal. Otherwise escape
sequences may be sent to the terminal, for instance when there are filenames
encoded in UTF-8 and the user has ISO-8859 locales. Also
$ touch "test`tput mc0`"
$ find .
will print some data if your terminal supports printing (e.g. xterm, if this
support hasn't been disabled by setting printerCommand to an empty string).
This is bad for the security/privacy as some malicious user may create such a
filename...
----------------------
Afaict dumping non printable characters to the terminal usually is not wanted
and should not be default.
Posix says:
-print
The primary shall always evaluate as true; it shall cause
the current pathname to be written to standard output.
so by filtering out these characters (e.g by replacing them with
questionmarks or their escapecodes) we would not be following posix to the
letter. But do you want to be _that_ strict?
cu andreas
_______________________________________________________
Carbon-Copy List:
CC Address | Comment
------------------------------------+-----------------------------
311384-submitter@bugs.debian.org | submitter and BTS
_______________________________________________________
Reply to this item at:
<http://savannah.gnu.org/bugs/?func=detailitem&item_id=13303>
_______________________________________________
Nachricht geschickt von/durch Savannah
http://savannah.gnu.org/
Message sent on to Vincent Lefevre <vincent@vinc17.org>:
Bug#311384.
(full text, mbox, link).
Message #13 received at 311384-submitter@bugs.debian.org (full text, mbox, reply):
On Sun, Jun 05, 2005 at 12:02:59PM +0000, Andreas Metzler wrote:
> Afaict dumping non printable characters to the terminal usually is not wanted
> and should not be default.
>
> Posix says:
> -print
> The primary shall always evaluate as true; it shall cause
> the current pathname to be written to standard output.
>
> so by filtering out these characters (e.g by replacing them with
> questionmarks or their escapecodes) we would not be following posix to the
> letter. But do you want to be _that_ strict?
I'm tempted to adopt the same approach as "ls" does in coreutils,
which is to print a "?" for nongraphic characters if stdout is a tty.
For find this, this might also logically mean changing -fprintf if the
target is a terminal, too.
Do other list members have opinions or thoughts?
James.
Message sent on to Vincent Lefevre <vincent@vinc17.org>:
Bug#311384.
(full text, mbox, link).
Message #16 received at 311384-submitter@bugs.debian.org (full text, mbox, reply):
On 2005-06-05 James Youngman <jay@gnu.org> wrote:
[dumping non-printable chars to terminal]
> I'm tempted to adopt the same approach as "ls" does in coreutils,
> which is to print a "?" for nongraphic characters if stdout is a tty.
> For find this, this might also logically mean changing -fprintf if the
> target is a terminal, too.
s/-fprintf/-printf/
cu andreas
--
"See, I told you they'd listen to Reason," [SPOILER] Svfurlr fnlf,
fuhggvat qbja gur juveyvat tha.
Neal Stephenson in "Snow Crash"
http://downhill.aus.cc/
Message sent on to Vincent Lefevre <vincent@vinc17.org>:
Bug#311384.
(full text, mbox, link).
Message #19 received at 311384-submitter@bugs.debian.org (full text, mbox, reply):
On Sun, Jun 05, 2005 at 04:12:42PM +0200, Andreas Metzler wrote:
> > For find this, this might also logically mean changing -fprintf if the
> > target is a terminal, too.
>
> s/-fprintf/-printf/
> cu andreas
Sorry, I wasn't clear enough. I meant both of them.
find . -fprintf /dev/tty "%p\n"
find . -printf "%p\n"
I think that -print0 and friends should probably just pass the data
through unchanged, even if stdout is a tty.
James.
Message sent on to Vincent Lefevre <vincent@vinc17.org>:
Bug#311384.
(full text, mbox, link).
Message #22 received at 311384-submitter@bugs.debian.org (full text, mbox, reply):
Follow-up Comment #1, bug #13303 (project findutils):
My first instinct is to follow the behaviour of "ls", which seems sensible.
However, I've started a discussion on the bug-findutils mailing list.
_______________________________________________________
Reply to this item at:
<http://savannah.gnu.org/bugs/?func=detailitem&item_id=13303>
_______________________________________________
Message sent via/by Savannah
http://savannah.gnu.org/
Message sent on to Vincent Lefevre <vincent@vinc17.org>:
Bug#311384.
(full text, mbox, link).
Message #25 received at 311384-submitter@bugs.debian.org (full text, mbox, reply):
Follow-up Comment #2, bug #13303 (project findutils):
I propose the attached patch (against current CVS). Please try it out and
let me know if you're happy with the result.
The patch affects -print, -fprint, -fprintf, -printf. It does not affect
-ok, -okdir or -print0. The -ls and -fls actions already had escaping.
The escape style for -print and friends is different to that used by -ls.
This is explained in the documentation, which is also patched. Please let
me know how intelligible you find the (updated) documentation.
One could argue that -ok and -okdir should be fixed. It's not immediately
obvious what the best way of doing that is.
Thanks.
_______________________________________________________
Additional Item Attachment:
File name: escaped-terminal-output.patch Size:28 KB
Proposed patch (1) against current CVS
<http://savannah.gnu.org/bugs/download.php?item_id=13303&item_file_id=2576>
_______________________________________________________
Reply to this item at:
<http://savannah.gnu.org/bugs/?func=detailitem&item_id=13303>
_______________________________________________
Message sent via/by Savannah
http://savannah.gnu.org/
Message sent on to Vincent Lefevre <vincent@vinc17.org>:
Bug#311384.
(full text, mbox, link).
Message #28 received at 311384-submitter@bugs.debian.org (full text, mbox, reply):
Update of bug #13303 (project findutils):
Item Group: None => Wrong result
Status: None => Ready For Test
Assigned to: None => jay
_______________________________________________________
Reply to this item at:
<http://savannah.gnu.org/bugs/?func=detailitem&item_id=13303>
_______________________________________________
Message sent via/by Savannah
http://savannah.gnu.org/
Message sent on to Vincent Lefevre <vincent@vinc17.org>:
Bug#311384.
(full text, mbox, link).
Message #31 received at 311384-submitter@bugs.debian.org (full text, mbox, reply):
On 2005-06-05 15:36:01 +0100, James Youngman wrote:
> I think that -print0 and friends should probably just pass the data
> through unchanged, even if stdout is a tty.
Anyway I think that this does not make sense to use -print0 when
stdout is a tty. So any behavior would be OK in this case.
--
Vincent Lefèvre <vincent@vinc17.org> - Web: <http://www.vinc17.org/>
100% accessible validated (X)HTML - Blog: <http://www.vinc17.org/blog/>
Work: CR INRIA - computer arithmetic / SPACES project at LORIA
Message sent on to Vincent Lefevre <vincent@vinc17.org>:
Bug#311384.
(full text, mbox, link).
Message #34 received at 311384-submitter@bugs.debian.org (full text, mbox, reply):
Follow-up Comment #3, bug #13303 (project findutils):
I like the idea, but the patch is quite large.
One mistake found so far: the change to pred_fprint() will result to double
print.
P.S. Could you please add -p option to "cvs diff" command next time?
_______________________________________________________
Reply to this item at:
<http://savannah.gnu.org/bugs/?func=detailitem&item_id=13303>
_______________________________________________
Message sent via/by Savannah
http://savannah.gnu.org/
Message sent on to Vincent Lefevre <vincent@vinc17.org>:
Bug#311384.
(full text, mbox, link).
Message #37 received at 311384-submitter@bugs.debian.org (full text, mbox, reply):
On Mon, Jun 06, 2005 at 08:51:34AM +0200, Vincent Lefevre wrote:
> On 2005-06-05 15:36:01 +0100, James Youngman wrote:
> > I think that -print0 and friends should probably just pass the data
> > through unchanged, even if stdout is a tty.
>
> Anyway I think that this does not make sense to use -print0 when
> stdout is a tty. So any behavior would be OK in this case.
How did you find the patch? More importantly, is the updated
documentation intelligible?
Regards,
James.
Message sent on to Vincent Lefevre <vincent@vinc17.org>:
Bug#311384.
(full text, mbox, link).
Message #40 received at 311384-submitter@bugs.debian.org (full text, mbox, reply):
Follow-up Comment #4, bug #13303 (project findutils):
Here is an updated patch which remedies the problem found by 860 Dmitry V.
Levin (double output for -fprint). diff -p used :)
_______________________________________________________
Additional Item Attachment:
File name: escaped-terminal-output-2.patch Size:29 KB
Second proposed patch (replacing the first) against current CVS
<http://savannah.gnu.org/bugs/download.php?item_id=13303&item_file_id=2579>
_______________________________________________________
Reply to this item at:
<http://savannah.gnu.org/bugs/?func=detailitem&item_id=13303>
_______________________________________________
Message sent via/by Savannah
http://savannah.gnu.org/
Message sent on to Vincent Lefevre <vincent@vinc17.org>:
Bug#311384.
(full text, mbox, link).
Message #43 received at 311384-submitter@bugs.debian.org (full text, mbox, reply):
On 2005-06-07 09:08:50 +0100, James Youngman wrote:
> How did you find the patch?
The behaviour seems OK to me.
> More importantly, is the updated documentation intelligible?
+@item -ls
+@itemx -fls
+Unusual characters are always escaped. White space, backslash, and
+double quote characters are printed using C-style escaping (for
+example @samp{\f}, @samp{\"}). Other unusual characters are printed
+using an octal escape. Printable characters (for @samp{-ls} and
+@samp{-fls} these are the characters between octal 040 and 0177) are
+printed as-is.
There are two problems in the last sentence. First, 0177 is not a
printable character; this is the DEL character and is displayed as
\177 by "find . -ls". Moreover you should probably add "after the
possible backslash" or say "*Other* printable characters".
Ditto concerning the man page.
--
Vincent Lefèvre <vincent@vinc17.org> - Web: <http://www.vinc17.org/>
100% accessible validated (X)HTML - Blog: <http://www.vinc17.org/blog/>
Work: CR INRIA - computer arithmetic / SPACES project at LORIA
Message sent on to Vincent Lefevre <vincent@vinc17.org>:
Bug#311384.
(full text, mbox, link).
Message #46 received at 311384-submitter@bugs.debian.org (full text, mbox, reply):
On Tue, Jun 07, 2005 at 02:02:04PM +0200, Vincent Lefevre wrote:
> On 2005-06-07 09:08:50 +0100, James Youngman wrote:
> > How did you find the patch?
>
> The behaviour seems OK to me.
[...]
> There are two problems in the last sentence.
I have now corrected the documentation as suggested and committed the
patch to the findutils CVS tree.
Still to do in this area:
* Make locate consistent with the (new) behaviour of find
* Add the options suggested by Dmitry.
Regards,
James.
Message sent on to Vincent Lefevre <vincent@vinc17.org>:
Bug#311384.
(full text, mbox, link).
Message #49 received at 311384-submitter@bugs.debian.org (full text, mbox, reply):
Update of bug #13303 (project findutils):
Status: Ready For Test => Fixed
_______________________________________________________
Follow-up Comment #5:
This problem is fixed in the CVS code for findutils.
To resolve your problem, you could either wait for the
next official release of findutils, or check out a copy
of the code from the CVS repository for findutils.
_______________________________________________________
Reply to this item at:
<http://savannah.gnu.org/bugs/?func=detailitem&item_id=13303>
_______________________________________________
Message sent via/by Savannah
http://savannah.gnu.org/
Message sent on to Vincent Lefevre <vincent@vinc17.org>:
Bug#311384.
(full text, mbox, link).
Message #52 received at 311384-submitter@bugs.debian.org (full text, mbox, reply):
Update of bug #13303 (project findutils):
Open/Closed: Open => Closed
Fixed Release: None => 4.2.21
_______________________________________________________
Follow-up Comment #6:
You can download a release of findutils in which this problem is
fixed from ftp://alpha.gnu.org/gnu/findutils.
The releases on alpha.gnu.org are for testing purposes, so please
take the time to download the release and verify that your
problem has been solved. Once the release has been sufficiently
tested, it can be uploaded to ftp.gnu.org for everybody to use it.
_______________________________________________________
Reply to this item at:
<http://savannah.gnu.org/bugs/?func=detailitem&item_id=13303>
_______________________________________________
Message sent via/by Savannah
http://savannah.gnu.org/
Reply sent to Andreas Metzler <ametzler@debian.org>:
You have taken responsibility.
(full text, mbox, link).
Notification sent to Vincent Lefevre <vincent@vinc17.org>:
Bug acknowledged by developer.
(full text, mbox, link).
Message #57 received at 311384-close@bugs.debian.org (full text, mbox, reply):
Source: findutils
Source-Version: 4.2.22-1
We believe that the bug you reported is fixed in the latest version of
findutils, which is due to be installed in the Debian FTP archive:
findutils_4.2.22-1.diff.gz
to pool/main/f/findutils/findutils_4.2.22-1.diff.gz
findutils_4.2.22-1.dsc
to pool/main/f/findutils/findutils_4.2.22-1.dsc
findutils_4.2.22-1_i386.deb
to pool/main/f/findutils/findutils_4.2.22-1_i386.deb
findutils_4.2.22.orig.tar.gz
to pool/main/f/findutils/findutils_4.2.22.orig.tar.gz
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 311384@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Andreas Metzler <ametzler@debian.org> (supplier of updated findutils package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.7
Date: Mon, 13 Jun 2005 19:39:46 +0200
Source: findutils
Binary: findutils
Architecture: source i386
Version: 4.2.22-1
Distribution: unstable
Urgency: low
Maintainer: Andreas Metzler <ametzler@debian.org>
Changed-By: Andreas Metzler <ametzler@debian.org>
Description:
findutils - utilities for finding files--find, xargs, and locate
Closes: 208307 301934 311384 312760 312761 313081
Changes:
findutils (4.2.22-1) unstable; urgency=low
.
* New upstream version
- fixes infinite loop of "find -follow" on trees with symlinks to ./.
(Closes: #313081)
- better documentation for %k and %d printf directives. (Closes: #208307)
- find filters out non-printable characters (which could mess up the
terminal) when printing the output to a console. (Closes: #311384)
- Typo fixes. (Closes: #301934, #312760, #312761) (Thanks, A Costa.)
Files:
84b082128b8f4b109efed4749d7d322e 662 base required findutils_4.2.22-1.dsc
81ef043fbc9203f03225d0dc7f6cb2ec 972905 base required findutils_4.2.22.orig.tar.gz
8612990949c3c1e82ea102cf856059ab 12261 base required findutils_4.2.22-1.diff.gz
df01940ef18ccd6996366396b1b26b7b 304976 base required findutils_4.2.22-1_i386.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (GNU/Linux)
iD8DBQFCrdHJHTOcZYuNdmMRAoe1AJ43bqjSDvNOFYEWrqGFMxmoh/fdMgCeO46A
NvtVymuuVlQJXpfkZnHYAU4=
=T/Ar
-----END PGP SIGNATURE-----
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Sat Dec 23 16:45:09 2023;
Machine Name:
bembo
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.