View Issue Details

IDProjectCategoryView StatusLast Update
0000351fileGeneralpublic2022-06-28 04:03
ReporterCathyKMeow Assigned Tochristos  
PrioritynoneSeverityfeatureReproducibilityalways
Status resolvedResolutionfixed 
PlatformGNU/LinuxOSArch Linux ARMOS VersionRolling
Product Version5.41 
Fixed in Version5.42 
Summary0000351: Escape "special" characters before outputting
Description`file` does not escape "special" characters in file name before outputting. This is vulnerable to Trojan Source attacks.

(See https://trojansource.codes)

Example:
An attacker make an executable binary file containing malicious code look like a non-executable ASCII text file, so the user might try to open them in the GUI by double clicking on it, which instead executes the file.

Expected behavior:
```
user@localhost:~$ mkdir $'a\nb'
user@localhost:~$ file $'a\nb'
'a'$'\n''b': directory
```

What I see instead:
```
user@localhost:~$ mkdir $'a\nb'
user@localhost:~$ file $'a\nb'
a
b: directory
```
Steps To Reproduce```
$ mkdir $'a\nb'
$ file $'a\nb'
```
Additional Information```
user@localhost:~/file_bug_test$ mkdir $'a\nb'
mkdir: cannot create directory 'a\nb': File exists
user@localhost:~/file_bug_test$ ls
'a'$'\n''b'
user@localhost:~/file_bug_test$ find .
.
./a?b
user@localhost:~/file_bug_test$ tar -cf file_bug_test.tar *
user@localhost:~/file_bug_test$ tar --list -f file_bug_test.tar
a\nb/
user@localhost:~/file_bug_test$
```
TagsNo tags attached.

Activities

christos

2022-05-28 01:06

manager   ~0003753

Fixed, thanks!

Issue History

Date Modified Username Field Change
2022-05-27 23:50 CathyKMeow New Issue
2022-05-28 01:06 christos Assigned To => christos
2022-05-28 01:06 christos Status new => assigned
2022-05-28 01:06 christos Status assigned => resolved
2022-05-28 01:06 christos Resolution open => fixed
2022-05-28 01:06 christos Fixed in Version => 5.42
2022-05-28 01:06 christos Note Added: 0003753