#1133283 lftp does not filter non-printable characters in the output to the terminal

Package:
lftp
Source:
lftp
Description:
Sophisticated command-line FTP/HTTP/BitTorrent client programs
Submitter:
Vincent Lefevre
Date:
2026-04-11 17:07:01 UTC
Severity:
normal
Tags:
#1133283#5
Date:
2026-04-11 16:28:37 UTC
From:
To:
I reported the following bug upstream a few days ago and also
posted to the oss-security list:
https://www.openwall.com/lists/oss-security/2026/04/09/4

lftp does not filter non-printable characters in the output to
the terminal. For instance:

$ mkdir /tmp/dir
$ cd /tmp/dir
$ touch "file$(tput smacs)" foo
$ ls
'file'$'\033''(0'   foo
$ lftp sftp://localhost/tmp/dir
cd ok, cwd=/tmp/dir
lftp localhost:/tmp/dir> dir
drwxr-xr-x    2 vinc17   vinc17         80 Apr  9 02:07 .
drwxrwxrwt   22 root     root          560 Apr  9 02:07 ..
-rw-r--r--    1 vinc17   vinc17          0 Apr  9 02:07 file
-⎼┬-⎼--⎼--    1 ┴␋┼␌17   ┴␋┼␌17          0 A⎻⎼  9 02:07 °⎺⎺
┌°├⎻ ┌⎺␌▒┌␤⎺⎽├:/├└⎻/␍␋⎼>

and

$ lftp sftp://localhost/tmp/dir
cd ok, cwd=/tmp/dir
lftp localhost:/tmp/dir> get file^[(0
get: /home/vinc17/file: F␋┌␊ ␊│␋⎽├⎽
┌°├⎻ ┌⎺␌▒┌␤⎺⎽├:/├└⎻/␍␋⎼>

(note: I typed "get file", then the Tab key to complete).

As a comparison, sftp does not have any issue:

$ sftp sftp://localhost//tmp/dir
Connected to localhost.
Changing to: /tmp/dir
sftp> dir
file\033(0   foo
sftp> get file^[(0
Fetching /tmp/dir/file\033(0 to file\033(0

Remote directories may contain untrusted data. In particular, a
malicious user may have created file names with specially chosen
escape sequences to introduce issues with the terminal and possibly
security implications in some terminal configurations.