Zsh Mailing List Archive Messages sorted by: Reverse Date, Date, Thread, Author

Re: zsh can output non-printable characters to the terminal in some error messages

X-seq: zsh-workers 54741
From: Mikael Magnusson <mikachu@xxxxxxxxx>
To: zsh-workers@xxxxxxx
Subject: Re: zsh can output non-printable characters to the terminal in some error messages
Date: Wed, 10 Jun 2026 18:25:51 +0200
Arc-authentication-results: i=1; mx.google.com; arc=none
Arc-message-signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20240605; h=content-transfer-encoding:to:subject:message-id:date:from :in-reply-to:references:mime-version:dkim-signature; bh=uT+5SbsCW/EiQC0TJMdq01sqbxzztp5vL+99KTIRGFQ=; fh=SbTlPuNNxBzTkRlwWtqw/TXBY0HvGvtE97RpPp3sJPM=; b=XugsRTLj38de1dYiHxjGXVOKiakoCCI84eRGuKLvOu01+5HLf66EnWiwxmxhtHb4j4 cae3Co0cjNfKM81ePpor/ke5gsM6S04r7Q9B6S9bEtjwr0y8DYCRK53H8Pmih1b4CxCK 6B4Ph67pNNNEkmAVX9rxQd0WQ2sudKIjvqYtdNfbJIfleDMm5v7mctkLw0JUN7HMzw1q sblTXSX6dvdtt21QTJMhgs6oLMFW2NnOW+dEZuWHZe7Ebxi/zenm8+LNBkh2YY3/mjUy Ayn8uLLGCj7/eUnCIWGfd1mg4VSZduuDZN3qxCZZq1B/M7AY5CBknEzO0+qIBMw0kauh asXQ==; darn=zsh.org
Arc-seal: i=1; a=rsa-sha256; t=1781108765; cv=none; d=google.com; s=arc-20240605; b=TW0uHP7MLR8ul4oqWvCSur42TT/AJFGYaBahz9t/bvYph8DOKl8sJwTvf+RsR2peg+ 9ae6CnXYSR2iGviRmpJND3bjVDM9c6e+JZM9fKH1WvdXnwKBZjyeQL0EMCGl/5ckG0yq wXqOyLRSloFnEOnvfxyAxy9MllHYeJY/wPIem9MVSO/YP+T4ZrsePkz1xj66m8z8E7yt E8UAUre6egYWqoAy8MEgZ9n2Qd29tPWrQYI3nyPMGNf6YFOQdd+nc2vsXk9udsEk1NFM i8AKHZRdVO5ISi9fEzkEi3xbkB47Ho+oajrd8dWHGKT8mVAcEAvaqqvzhQYNId9hO3gv XIHg==
Archived-at: <https://zsh.org/workers/54741>
In-reply-to: <20260610095138.GA1479503@qaa.vinc17.org>
List-id: <zsh-workers.zsh.org>
References: <20260610095138.GA1479503@qaa.vinc17.org>

On Wed, Jun 10, 2026 at 12:11 PM Vincent Lefevre <vincent@xxxxxxxxxx> wrote:
>
> zsh 5.9.1 and below can output non-printable characters to the terminal
> (such as escape sequences) in some error messages.
>
> This may be a security vulnerability if a user creates a file name with
> malicious escape sequences in it.
>
> qaa% file=file$'\033'\[H$'\033'\[c$'\n'$'\b'
> qaa% touch $file
> qaa% chmod 0 $file

These two steps are not needed, you'll simply get a "No such file"
error instead with the same consequences without them.

> The following one is fine:
>
> qaa% : < $file
> zsh: permission denied: file^[[H^[[c\n^H
>
> But create a test.zsh script with
>
> foo=$(<$1)
>
> Then the following command outputs the escapes to the terminal
> due to the "Permission denied" error:
>
> qaa% ./test.zsh $file
>
> (to be run in an xterm-compatible terminal).

A slightly friendlier PoC:
% file=$'\033[35mhello\033[0m'
% =( chmod +x /dev/stdout; echo 'foo=$(<$1)' ) $file
/tmp/zsh0Q4Ap1: 1: cannot open hello: No such file
where "hello" will be listed in purple unexpectedly (presumably).

-- 
Mikael Magnusson

Follow-Ups:
- Re: zsh can output non-printable characters to the terminal in some error messages
  - From: Mikael Magnusson

References:
- zsh can output non-printable characters to the terminal in some error messages
  - From: Vincent Lefevre

Messages sorted by: Reverse Date, Date, Thread, Author