Escape Sequences in Filenames are not Filtered #595
Description
Filenames on Linux can contain arbitrary characters except for the path separator '/'. Thus filenames can also contain possibly dangerous characters like ASCII control codes (newline, linefeed, etc.) or even complete ANSI/CSI terminal escape sequences.
On the Croc receiver side the filenames communicated by the sender side are accepted unfiltered and are also output on stdout during transmission. When the latter happens, the escape sequences are interpreted by the receiver's terminal and can lead to colored text, moving the cursor around or - if an insecure terminal emulator setup is used - even arbitrary code execution can be achieved.
In particular this issue is a nice addition to issues #593 and #594, since it allows to hide filenames of previously transmitted files on stdout, therefore making the attack less conspicuous. This is an example of how this can be done:
# this moves the cursor up one line and performs a carriage return, thus
# overwriting the previous line on the terminal
sender $ touch "`echo -e '\033[1A\rharmless'`"
sender $ touch "evil"
sender $ croc send evil *harmless
[...]
receiver $ croc <shared-secret>
receiver $ Accept 2 files (0 B)? (Y/n) Y
harmless 100% |████████████████████| ( 0/ 1 B) 2/2
An interactive user will only see the "harmless" file, probably not noticing that a file seems to be "missing" in the output.
To fix this Croc should filter filenames on the receiver side and either reject or replace any unsafe non-printable characters.