0000351: Escape "special" characters before outputting

ID	Project	Category	View Status	Date Submitted	Last Update

0000351	file	General	public	2022-05-27 23:50	2022-06-28 04:03

Reporter	CathyKMeow	Assigned To	christos
Priority	none	Severity	feature	Reproducibility	always
Status	resolved	Resolution	fixed
Platform	GNU/Linux	OS	Arch Linux ARM	OS Version	Rolling
Product Version	5.41
Fixed in Version	5.42

Summary	0000351: Escape "special" characters before outputting
Description	`file` does not escape "special" characters in file name before outputting. This is vulnerable to Trojan Source attacks. (See https://trojansource.codes) Example: An attacker make an executable binary file containing malicious code look like a non-executable ASCII text file, so the user might try to open them in the GUI by double clicking on it, which instead executes the file. Expected behavior: ``` user@localhost:~$ mkdir $'a\nb' user@localhost:~$ file $'a\nb' 'a'$'\n''b': directory ``` What I see instead: ``` user@localhost:~$ mkdir $'a\nb' user@localhost:~$ file $'a\nb' a b: directory ```
Steps To Reproduce	``` $ mkdir $'a\nb' $ file $'a\nb' ```
Additional Information	``` user@localhost:~/file_bug_test$ mkdir $'a\nb' mkdir: cannot create directory 'a\nb': File exists user@localhost:~/file_bug_test$ ls 'a'$'\n''b' user@localhost:~/file_bug_test$ find . . ./a?b user@localhost:~/file_bug_test$ tar -cf file_bug_test.tar * user@localhost:~/file_bug_test$ tar --list -f file_bug_test.tar a\nb/ user@localhost:~/file_bug_test$ ```
Tags	No tags attached.

Date Modified	Username	Field	Change
2022-05-27 23:50	CathyKMeow	New Issue
2022-05-28 01:06	christos	Assigned To	=> christos
2022-05-28 01:06	christos	Status	new => assigned
2022-05-28 01:06	christos	Status	assigned => resolved
2022-05-28 01:06	christos	Resolution	open => fixed
2022-05-28 01:06	christos	Fixed in Version	=> 5.42
2022-05-28 01:06	christos	Note Added: 0003753

christos 2022-05-28 01:06 manager ~0003753	Fixed, thanks!