After an evaluation, GNOME has moved from Bugzilla to GitLab. Learn more about GitLab.
No new issues can be reported in GNOME Bugzilla anymore.
To report an issue in a GNOME project, go to GNOME GitLab.
Do not go to GNOME Gitlab for: Bluefish, Doxygen, GnuCash, GStreamer, java-gnome, LDTP, NetworkManager, Tomboy.
Bug 549882 - Control characters alter filename appearance
Control characters alter filename appearance
Status: RESOLVED OBSOLETE
Product: nautilus
Classification: Core
Component: Views: All
3.28.x
Other Linux
: Normal normal
: ---
Assigned To: Nautilus Maintainers
Nautilus Maintainers
Depends on: 70399
Blocks:
 
 
Reported: 2008-08-29 23:28 UTC by Amaroq
Modified: 2021-06-18 15:53 UTC
See Also:
GNOME target: ---
GNOME version: 2.23/2.24


Attachments
S[RLO]iva.exe (Only contains text.) (14 bytes, application/octet-stream)
2008-08-29 23:31 UTC, Amaroq
Details

Description Amaroq 2008-08-29 23:28:47 UTC
After reading an article about how the LRO and RLO unicode characters could be used to produce deceptive filenames in Vista, me and a friend of mine tried this on Ubuntu to see if it would work there too.

I used the following command via terminal:

touch S[RLO]iva.exe

where [RLO] is the Right to Left Override character pasted into the terminal.
(Note that some terminals do not allow you to paste this character. At least my friend's didn't.)

ls'ing the directory shows something akin to S iva.exe. (The space would be the control character.)
Viewing the directory in nautilus or on the desktop shows the filename as "Sexe.avi".
Quite the tempting filename.

Indeed, everything GUI seems to render the effects of the control character. At least as far as viewing filename and saving files via Pidgin's file transfer and such. (The spoofed filename even remains intact in the field where the filename to save as is defaulted to the filename that the sender is sending.)

Double clicking would attempt to open it as an exe.

Obviously only remotely detrimental if you have Wine or something else that handles exe files. But still, the possibility for exploit using crafted filenames remains.

Something like [RLO]gpj.[LRO]ShellScript could easily be spoofed and would render as ShellScript.jpg.

Ubuntu 7.04 and 8.04lts, and probably more.

I have already posted this bug on bugs.launchpad.net/ubuntu. Somebody recommended opening a report here too.
https://bugs.launchpad.net/bugs/197804
Comment 1 Amaroq 2008-08-29 23:31:46 UTC
Created attachment 117610 [details]
S[RLO]iva.exe (Only contains text.)
Comment 2 Cosimo Cecchi 2008-08-30 10:17:11 UTC
I can kinda reproduce this bug here, but I don't fully understand what's the issue.
Are you suggesting that Nautilus and the other GNOME applications should not honor these RLO and LRO operators in displayed names for security reasons?
Comment 3 A. Walton 2008-08-30 11:18:46 UTC
That indeed is the suggestion, which sounds to me like it would maim i18n. CCing them to get their opinion. 
Comment 4 Behdad Esfahbod 2008-09-01 23:10:54 UTC
Makes some sense.  Though the issue is really hard.  See all the phishing discussions over internationalized domain names...  Lets say this depends on bug 70399.
Comment 5 Stanislav Brabec 2008-10-30 16:36:53 UTC
Providing a bad visual feedback is not only a problem of RLO. In worst case it could make an assumption, that you are going to overwrite existing file. Nothing worse could happen. (False IDN is a different issue.)

This is a very common case:

For example these two files should render equally due to RLO:

touch $'S\327\220\327\221va.exe' $'S\342\200\255\327\221\327\220va.exe'

And these due to flying/embedded accent:

touch $'Voil\303\241' $'Voila\314\201'

These three should render equally or nearly equally as well due to space attributes:
touch 'A FILE' $'A\302\240FILE' $'A\342\200\257FILE'

These due to use of Zero Width characters:
touch file $'f\342\200\213i\342\200\213l\342\200\213e'

And finally these due to combining with similar characters from other alphabets:
touch passwd $'\321\200\320\260\321\225\321\225wd'

And here use of the combining characted is mandatory (and it seems, that in GNOME 2.24 it does not render correctly):

touch $'\340\244\232\340\245\207\340\244\244\340\244\250\340\244\276'
Comment 6 André Klapper 2021-06-18 15:53:19 UTC
GNOME is going to shut down bugzilla.gnome.org in favor of gitlab.gnome.org.
As part of that, we are mass-closing older open tickets in bugzilla.gnome.org
which have not seen updates for a longer time (resources are unfortunately
quite limited so not every ticket can get handled).

If you can still reproduce the situation described in this ticket in a recent
and supported software version of Files (nautilus), then please follow
  https://wiki.gnome.org/GettingInTouch/BugReportingGuidelines
and create a new ticket at
  https://gitlab.gnome.org/GNOME/nautilus/-/issues/

Thank you for your understanding and your help.