yath displays arbitrary filenames without escaping

[robrwo]

Inspired by https://www.openwall.com/lists/oss-security/2025/08/13/4 which talks about how unescaped filenames can be used to trigger vulnerabilities in terminals etc.

mkdir -p t
touch t/$(printf "file\e[H\e[0j\e[1mBoo\e[0m.t"))

yath

this will output unescaped filenames and run some annoying ANSI sequences.

Either escape the filenames before printing, or be more restrictive about the filenames that are handled (though escape them when showing errors)

See also Perl-Toolchain-Gang/Test-Harness#144

[exodist]

Patches are welcome, but I do not consider this a high priority. I am trying to think of how it could be used as an attack. Maybe a bad cpan dist that people would want to install will have their terminal crash if they run the tests? Can you give me an example of this doing harm rather than inconvenience?