GNU bug report logs - #30535
Output buffer overwritten when CR in file

Previous Next

To reply to this bug, email your comments to 30535 AT debbugs.gnu.org.

Toggle the display of automated, internal messages from the tracker.

Message #5 received at submit <at> debbugs.gnu.org (full text, mbox):

From: Wayne Gemmell <wayne <at> gemmell.co.za>
To: bug-grep <at> gnu.org
Subject: Output buffer overwritten when CR in file
Date: Mon, 19 Feb 2018 14:36:43 +0000

[Message part 1 (text/plain, inline)]

Hi

I have an issue with files that contain carriage returns. I have log files
that contain user input which sometime has carriage returns. The EOL
characters are fine so I can't throw mac2unix at the problem.

The issue is that when grep outputs the CR it follows the CR to the
beginning of the output buffer and overwrites the contents of the output
buffer.

E.g. the file, test.log with the following contents.

messag1^Mlogin^Mmask

The following command
$>/grep --color=never login test.log
Outputs as follows
$>maskng1

This seems like a security concern as you may be able to mask activity in
logs just by inserting CR in place. It would be superficial but it would
fool basic grep based logfile processing.

I would expect the CR to be output verbatim so as not to confuse the reader
of the output.


-- 
Regards
Wayne

[Message part 2 (text/html, inline)]

Message #8 received at 30535 <at> debbugs.gnu.org (full text, mbox):

From: Paul Eggert <eggert <at> cs.ucla.edu>
To: Wayne Gemmell <wayne <at> gemmell.co.za>, 30535 <at> debbugs.gnu.org
Subject: Re: bug#30535: Output buffer overwritten when CR in file
Date: Mon, 19 Feb 2018 12:13:17 -0800

Wayne Gemmell wrote:
> I would expect the CR to be output verbatim

It is output verbatim, just as you expect. For example:

$ printf 'messag1\rlogin\rmask' >test.log
503-day $ grep --color=never login test.log | od -c
0000000   m   e   s   s   a   g   1  \r   l   o   g   i   n  \r   m   a
0000020   s   k  \n
0000023

Message #11 received at 30535 <at> debbugs.gnu.org (full text, mbox):

From: Wayne Gemmell <wayne <at> gemmell.co.za>
To: Paul Eggert <eggert <at> cs.ucla.edu>
Cc: 30535 <at> debbugs.gnu.org
Subject: Re: bug#30535: Output buffer overwritten when CR in file
Date: Tue, 20 Feb 2018 07:34:07 +0000

[Message part 1 (text/plain, inline)]

Hi Paul

That is exactly what I am getting. It is probably acting quite correctly,
the problem is that the shell executing those control characters is both
confusing and a possible security risk. I've tried this in ksh, dash, bash
and zsh and they all execute the control characters.

I think that they should be suppressed or escaped by default and a flag
should be provided to allow them to be passed out unescaped. Maybe this has
become a feature request...



On Mon, 19 Feb 2018 at 22:13 Paul Eggert <eggert <at> cs.ucla.edu> wrote:

> Wayne Gemmell wrote:
> > I would expect the CR to be output verbatim
>
> It is output verbatim, just as you expect. For example:
>
> $ printf 'messag1\rlogin\rmask' >test.log
> 503-day $ grep --color=never login test.log | od -c
> 0000000   m   e   s   s   a   g   1  \r   l   o   g   i   n  \r   m   a
> 0000020   s   k  \n
> 0000023
>
-- 
Regards
Wayne

[Message part 2 (text/html, inline)]

Previous Next

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.