Zsh Mailing List Archive Messages sorted by: Reverse Date, Date, Thread, Author

Re: zsh can output non-printable characters to the terminal in some error messages

X-seq: zsh-workers 54742
From: Mikael Magnusson <mikachu@xxxxxxxxx>
To: zsh-workers@xxxxxxx
Subject: Re: zsh can output non-printable characters to the terminal in some error messages
Date: Wed, 10 Jun 2026 18:55:46 +0200
Arc-authentication-results: i=1; mx.google.com; arc=none
Arc-message-signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20240605; h=content-transfer-encoding:to:subject:message-id:date:from :in-reply-to:references:mime-version:dkim-signature; bh=RyDmOyW6SewGph+FDbvYEXPNPH0sMXWSW150oMAlhyM=; fh=SbTlPuNNxBzTkRlwWtqw/TXBY0HvGvtE97RpPp3sJPM=; b=Gv/YNNcb9OrU9bs4oq//v+QLZSse5SQNQ3PzKpl9J0g9O5SHpDE5/CeFgG2hfpYby/ msztJmZyOJWdrf5MkLTuyrduZnSE1dzpq+F33aREqGYD494oyZhXfE8lnkN+BjLrXmL7 pLDD8+vzqJLQ0fHluoF2E3DVq/uLewm+E94fC1+4zaQZdZ6PUxtCKQ26c6SfcSW4Sip5 UPveJ2ZkhFgI3UmlqwhlT0ZsZgk5nSRucvig+RXmSnkrp3STBcUTodYOc9fXKK3VNNsV wUUx+YrH83nBazJ8uz/5C+g2T9QDSuOH30vqkBzR6GSh2EpLVcZNA8nlyZrNCm2PfBAR hUAQ==; darn=zsh.org
Arc-seal: i=1; a=rsa-sha256; t=1781110559; cv=none; d=google.com; s=arc-20240605; b=Rsnr1jBL70rh1pNEuRLappKT1d2lI+7Z8N/pS6mkamzERs+3OwzBSuPc2EjrOZThTs bKI322/A+FyWOQTA3JJqeX2al2Xdx/VCOdioS09UeGb/vMsr1G/4PBh6Q9ToIAnuJgCw X/6SRVqVNsYcqx+jef5kdLxusUyOI57kcQSdDHZePjG1NKlNbxQzdma3QGJUurKL2SY3 Kx+bdCfFrilb4AypC8MnP+k0zwn/bfVZZOPxz4XvNOTY1oQzAS9AoSUhI8uUlA8fK5Uo FfFJbCJCsPP4aJuDc7Nu0e8bgIN4h90C48t77NW0mgbIO7HuRJx8EyIsgIC2YXwe5ITb HdbA==
Archived-at: <https://zsh.org/workers/54742>
In-reply-to: <CAHYJk3QaHLt9cWYd2XRK6+=yZbAY3ChWK3-ibCHqKXtw-=jUXg@mail.gmail.com>
List-id: <zsh-workers.zsh.org>
References: <20260610095138.GA1479503@qaa.vinc17.org> <CAHYJk3QaHLt9cWYd2XRK6+=yZbAY3ChWK3-ibCHqKXtw-=jUXg@mail.gmail.com>

On Wed, Jun 10, 2026 at 6:25 PM Mikael Magnusson <mikachu@xxxxxxxxx> wrote:
>
> On Wed, Jun 10, 2026 at 12:11 PM Vincent Lefevre <vincent@xxxxxxxxxx> wrote:
> >
> > zsh 5.9.1 and below can output non-printable characters to the terminal
> > (such as escape sequences) in some error messages.
> >
> > This may be a security vulnerability if a user creates a file name with
> > malicious escape sequences in it.
> >
> > qaa% file=file$'\033'\[H$'\033'\[c$'\n'$'\b'
> > qaa% touch $file
> > qaa% chmod 0 $file
>
> These two steps are not needed, you'll simply get a "No such file"
> error instead with the same consequences without them.
>
> > The following one is fine:
> >
> > qaa% : < $file
> > zsh: permission denied: file^[[H^[[c\n^H
> >
> > But create a test.zsh script with
> >
> > foo=$(<$1)
> >
> > Then the following command outputs the escapes to the terminal
> > due to the "Permission denied" error:
> >
> > qaa% ./test.zsh $file
> >
> > (to be run in an xterm-compatible terminal).
>
> A slightly friendlier PoC:
> % file=$'\033[35mhello\033[0m'
> % =( chmod +x /dev/stdout; echo 'foo=$(<$1)' ) $file
> /tmp/zsh0Q4Ap1: 1: cannot open hello: No such file
> where "hello" will be listed in purple unexpectedly (presumably).

Hmm, did you make the same mistake I did there? Eg, we didn't include
the #!/bin/zsh shebang. My script was run with /bin/sh and I suspect
so was yours?
% =( chmod +x /dev/stdout; echo '#!/bin/zsh';echo 'foo=$(ls < $1)' ) $file
/tmp/zshp8LCt1:2: no such file or directory: ^[[35mhello^[[0m
% =( chmod +x /dev/stdout; echo '#!/usr/local/bin/zsh-5.0.7';echo
'foo=$(ls < $1)' ) $file
/tmp/zshvOhDLY:2: no such file or directory: ^[[35mhello^[[0m


-- 
Mikael Magnusson

Follow-Ups:
- Re: zsh can output non-printable characters to the terminal in some error messages
  - From: Vincent Lefevre
- Re: zsh can output non-printable characters to the terminal in some error messages
  - From: Bart Schaefer

References:
- zsh can output non-printable characters to the terminal in some error messages
  - From: Vincent Lefevre
- Re: zsh can output non-printable characters to the terminal in some error messages
  - From: Mikael Magnusson

Messages sorted by: Reverse Date, Date, Thread, Author