Control characters alter filename appearance
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
Nautilus |
Confirmed
|
Medium
|
|||
nautilus (Ubuntu) |
Triaged
|
Low
|
Ubuntu Desktop Bugs |
Bug Description
After reading an article about how the LRO and RLO unicode characters could be used to produce deceptive filenames in Vista, me and a friend of mine tried this on Ubuntu to see if it would work there too.
I used the following command via terminal:
touch S[RLO]iva.exe
where [RLO] is the Right to Left Override character pasted into the terminal.
(Note that some terminals do not allow you to paste this character. At least my friend's didn't.)
ls'ing the directory shows something akin to S iva.exe. (The space would be the control character.)
Viewing the directory in nautilus shows the filename as "Sexe.avi".
Quite the tempting filename.
Indeed, everything GUI seems to render the effects of the control character. At least as far as viewing filename and saving files via Pidgin's file transfer and such. (The spoofed filename even remains intact in the field where the filename to save as is defaulted to the filename that the sender is sending.)
Double clicking would attempt to open it as an exe.
Obviously only remotely detrimental if you have Wine or something else that handles exe files. But still, the possibility for exploit using crafted filenames remains.
Something like [RLO]gpj.
Ubuntu 7.10.
Changed in nautilus: | |
status: | Incomplete → Triaged |
Changed in nautilus: | |
status: | Unknown → Confirmed |
Changed in nautilus: | |
importance: | Unknown → Medium |
redirecting this to nautilus, perhaps someone will have a look at it...