On 2025-08-13 09:08:26 -0700, Paul Eggert wrote: > On 8/13/25 07:49, Vincent Lefevre wrote: > > $ touch "$(printf "file\e[H\e[c\n\b")" > > $ gunzip file* > > Not sure it's gzip's job to sanitize file names that the user gave it. > Pretty much every much program in the universe will output file names as-is,
Many programs quote non-printable characters, e.g. those from GNU Coreutils, but also xz (XZ Utils), diff from GNU diffutils, and find from GNU findutils (I was the one who reported the issue for find in 2005[*]). [*] https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=311384 > if the user tells it the file name explicitly. Well, it is given from the shell, not by the user explicitly. But the shell cannot sanitize the file name; otherwise gzip would not find the file. So, this would be up to the file system to prevent the creation of such file names (I don't know what POSIX says on this point, but POSIX might also require the opposite). > Why should gzip be an exception? Not really an exception (see above). -- Vincent Lefèvre <vinc...@vinc17.net> - Web: <https://www.vinc17.net/> 100% accessible validated (X)HTML - Blog: <https://www.vinc17.net/blog/> Work: CR INRIA - computer arithmetic / Pascaline project (LIP, ENS-Lyon)
