The name of cat utility is derived from its function to concatenate files, so nothing about kittens, i’m sorry!
Cover image courtesy of Ivo The Cat
cat is a tool which reads data from one locations and writes it to another.
Usually it is used to read text from a file and write it to STDOUT, and it also supports some control characters, such as line-feeds \f, newlines \n and carriage returns \r.
Let’s try to focus on of rendering carriage return \r characters: \r will move the cursor back to the beginning of the line, and characters printed thereafter will be written over anything that was printed previously.
So, if we create a textfile containing a string, plus a \r character and another string, a cat of this file will display only the second string, because the first will be overwritten.
For example, with this simple python script:
#!/usr/bin/env python hidden_string = "echo 'This is an hidden string!'" visible_string = "echo 'This is a visible string!'" with open("joke.sh", "w") as f: output = "#!/bin/sh\n" output += hidden_string + ";" + visible_string + " #\r" + visible_string + " " * (len(hidden_string) + 3) + "\n" #add spaces in order to overwrite the entire hidden string f.write(output) print ("Done!")
We are able to write a bash script that displays a result if processed with cat but performs more operations if executed:
[email protected]:~/Projects/CatJoke$ ./catjoke.py Done! [email protected]:~/Projects/CatJoke$ ls catjoke.py joke.sh [email protected]:~/Projects/CatJoke$ cat joke.sh #!/bin/sh echo 'This is a visible string!' [email protected]:~/Projects/CatJoke$ bash joke.sh This is an hidden string! This is a visible string!
This is a simple joke, however it may also have some security impacts: when downloading a script from the Internet, most users checks the content of the script using the cat command.
So, a bad actor can use this trick to embed malicious code into a script seemingly safe.
Luckily, the same file opened with an editor reveals the real content, and also cat is able (-A) to display file content ignoring the control characters:
[email protected]:~/Projects/CatJoke$ cat -A joke.sh #!/bin/sh echo 'This is an hidden string!';echo 'This is a visible string!' #^Mecho 'This is a visible string!'