special characters in filename are not escaped for error messages

[vinc17fr]

With the current less from Git and previous versions, special characters in filename are not escaped for error messages. This can do bad things in the terminal.

For instance, with a shell that accepts the $'...' syntax (otherwise Ctrl-V should be used to enter the escape character):

$ file=test$'\033'\[\?5h
$ echo foo > "$file"
$ chmod 000 "$file"
$ less "$file"
test: Permission denied

and the terminal is put in reverse video. One can also use test$'\033'\[\?40h$'\033'\[\?3h in a 80-column xterm, which has the effect to resize the terminal to 132 columns.

[vinc17fr]

There's also a minor issue when the file is viewable:

$ file=test$'\033'\[\?5hend
$ echo foo > "$file"
$ less -M "$file"
$ less -MR "$file"

With just -M, I get the status line

testESC[?5hend lines 1-1/1 (END)

in reverse video, which is OK. But with -MR, I just get

testend lines 1-1/1 (END)

where only test is in reverse video.

[carnil]

Cross reference to a downstream report: https://bugs.debian.org/1069681

[gwsw]

Probably fixed in e98b228.
Needs a bit more testing.

[gwsw]

Ok, as far as I can tell, this is fixed.

[carnil]

Just for clarity with the above reference: 2a642a0 should be the isolated fix itself.

[IgorTodorovskiIBM]

Do you plan to publish a new version soon? We're seeing the current version flagged with https://nvd.nist.gov/vuln/detail/CVE-2024-32487

[gwsw]

Yes, less-654 is in beta testing now. If no serious problems turn up, I expect to release it within a couple of weeks.
http:https://greenwoodsoftware.com/less/index.html