Re: Bash not escaping escape sequences in directory names

[Josh Harcombe]

>
> I will look at doing something here to improve the situation, but I'll push
> back on the notion that this is a security issue with bash.
>
> This is fair.

I guess you're concerned with "(along with other user-controlled
> substitutions in the prompt)".  I'm not entirely sure what the OP
> meant by that, and I don't think anyone else is talking about
> anything but the results of \w and \W and such.
>
> "user-controlled substitutions" was the wrong phrasing I guess, what I
meant was I was wondering if this same sanitization principle should be
applied to other things that could become part of your prompt while being
controlled by someone else, (e.g. potentially the current git branch name)
but since a) `git-check-ref-format` restricts valid branch names anyway and
b) bash should probably only care about the PS1 built in substitutions then
\W and \w are probably the only ones that would need to be sanitized.

So I would ask which user-controlled prompts are "illegal" such that they
> would be sanitized? The user controls their own prompt. What
> transformations would
>
> you disallow that wouldn't trample on some user's choice of a prompt?
>
> Not that this is what was in your example, but I would say it's fair to
assume that intentionally creating we can disallow escape characters being
interpreted within directory names without severely impacting anybody's
prompt setup.

On Wed, Jan 19, 2022 at 1:13 PM Josh Harcombe <joshharc@gmail.com> wrote:

> Configuration Information [Automatically generated, do not change]:
> Machine: x86_64
> OS: linux-gnu
> Compiler: gcc
> Compilation CFLAGS: -g -O2
> uname output: Linux computator 5.10.89-1-MANJARO #1 SMP PREEMPT Wed Dec 29
> 18:09:17 UTC 2021 x86_64 GNU/Linux
> Machine Type: x86_64-pc-linux-gnu
>
> Bash Version: 5.2
> Patch Level: !PATCHLEVEL!
> Release Status: alpha
>
> Description:
> Note: this happens on 5.1 release version as well and probably many other
> previous versions
> If a folder that is being displayed as part of the PS1 prompt contains
> escape sequences, bash will interpret them literally instead of escaping
> them like zsh does for example. Escape sequences should be fine if directly
> part of the prompt string and I'm not aware of any way for this to cause
> issues other than messing with the prompt string in potentially unexpected
> ways.
> I would consider this a bug but it's possible there's an intended use case
> for it.
>
> Repeat-By:
> This is a silly little use case which gives the illusion of a root shell,
> with the colours changed and the end of the original prompt hidden.
>
> [computator ~]$ echo -e "\"\r\x1b[1;31m[computator
> \x1b[1;36mjoshh\x1b[1;31m]#\x1b[0;37m\x1b[8m\"" | xargs mkdir
> [computator ~]$ cd ^M^[\[1\;31m\[computator\
> ^[\[1\;36mjoshh^[\[1\;31m\]#^[\[0\;37m^[\[8m/
> [computator joshh]#
>
> Fix:
> Haven't looked deeply into the bash internals but sanitizing the directory
> name (along with other user-controlled substitutions in the prompt) should
> work.
>