GNOME Bugzilla – Bug 549882
Control characters alter filename appearance
Last modified: 2021-06-18 15:53:19 UTC
After reading an article about how the LRO and RLO unicode characters could be used to produce deceptive filenames in Vista, me and a friend of mine tried this on Ubuntu to see if it would work there too. I used the following command via terminal: touch S[RLO]iva.exe where [RLO] is the Right to Left Override character pasted into the terminal. (Note that some terminals do not allow you to paste this character. At least my friend's didn't.) ls'ing the directory shows something akin to S iva.exe. (The space would be the control character.) Viewing the directory in nautilus or on the desktop shows the filename as "Sexe.avi". Quite the tempting filename. Indeed, everything GUI seems to render the effects of the control character. At least as far as viewing filename and saving files via Pidgin's file transfer and such. (The spoofed filename even remains intact in the field where the filename to save as is defaulted to the filename that the sender is sending.) Double clicking would attempt to open it as an exe. Obviously only remotely detrimental if you have Wine or something else that handles exe files. But still, the possibility for exploit using crafted filenames remains. Something like [RLO]gpj.[LRO]ShellScript could easily be spoofed and would render as ShellScript.jpg. Ubuntu 7.04 and 8.04lts, and probably more. I have already posted this bug on bugs.launchpad.net/ubuntu. Somebody recommended opening a report here too. https://bugs.launchpad.net/bugs/197804
Created attachment 117610 [details] S[RLO]iva.exe (Only contains text.)
I can kinda reproduce this bug here, but I don't fully understand what's the issue. Are you suggesting that Nautilus and the other GNOME applications should not honor these RLO and LRO operators in displayed names for security reasons?
That indeed is the suggestion, which sounds to me like it would maim i18n. CCing them to get their opinion.
Makes some sense. Though the issue is really hard. See all the phishing discussions over internationalized domain names... Lets say this depends on bug 70399.
Providing a bad visual feedback is not only a problem of RLO. In worst case it could make an assumption, that you are going to overwrite existing file. Nothing worse could happen. (False IDN is a different issue.) This is a very common case: For example these two files should render equally due to RLO: touch $'S\327\220\327\221va.exe' $'S\342\200\255\327\221\327\220va.exe' And these due to flying/embedded accent: touch $'Voil\303\241' $'Voila\314\201' These three should render equally or nearly equally as well due to space attributes: touch 'A FILE' $'A\302\240FILE' $'A\342\200\257FILE' These due to use of Zero Width characters: touch file $'f\342\200\213i\342\200\213l\342\200\213e' And finally these due to combining with similar characters from other alphabets: touch passwd $'\321\200\320\260\321\225\321\225wd' And here use of the combining characted is mandatory (and it seems, that in GNOME 2.24 it does not render correctly): touch $'\340\244\232\340\245\207\340\244\244\340\244\250\340\244\276'
GNOME is going to shut down bugzilla.gnome.org in favor of gitlab.gnome.org. As part of that, we are mass-closing older open tickets in bugzilla.gnome.org which have not seen updates for a longer time (resources are unfortunately quite limited so not every ticket can get handled). If you can still reproduce the situation described in this ticket in a recent and supported software version of Files (nautilus), then please follow https://wiki.gnome.org/GettingInTouch/BugReportingGuidelines and create a new ticket at https://gitlab.gnome.org/GNOME/nautilus/-/issues/ Thank you for your understanding and your help.