From 5e3d207d5b7dba28ca248475188a029570766bc1 Mon Sep 17 00:00:00 2001
From: Paul Eggert <eggert@cs.ucla.edu>
Date: Mon, 30 May 2022 17:03:26 -0700
Subject: grep: sanity-check GREP_COLOR

This patch closes a longstanding security issue with GREP_COLOR that I
just noticed, where if the attacker has control over GREP_COLOR's
settings the attacker can trash the victim's terminal or have 'grep'
generate misleading output.  For example, without the patch
the shell command:
GREP_COLOR="$(printf '31m\33[2J\33[31')" grep --color=always PATTERN
mucks with the screen, leaving behind only the trailing part of
the last matching line.  With the patch, this GREP_COLOR is ignored.
* src/grep.c (main): Sanity-check GREP_COLOR contents the same way
GREP_COLORS values are checked, to not trash the user's terminal.
This follows up the recent fix to Bug#55641.
---
 src/grep.c | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

(limited to 'src')

diff --git a/src/grep.c b/src/grep.c
index edefac6c..59d34310 100644
--- a/src/grep.c
+++ b/src/grep.c
@@ -2911,7 +2911,12 @@ main (int argc, char **argv)
       /* Legacy.  */
       char *userval = getenv ("GREP_COLOR");
       if (userval != NULL && *userval != '\0')
-        selected_match_color = context_match_color = userval;
+        for (char *q = userval; *q == ';' || c_isdigit (*q); q++)
+          if (!q[1])
+            {
+              selected_match_color = context_match_color = userval;
+              break;
+            }
 
       /* New GREP_COLORS has priority.  */
       parse_grep_colors ();
-- 
cgit v1.2.1