When including the listing of a directory in root's security mail, pass the

-q flag to ls(1) so that non-printable characters will appear as '?'. This
prevents a malicious user from fooling the administrator into thinking the
contents of a file name are actually valid script output (note that you can
put newlines in file names); deraadt@ ok

src/etc/security

@@ -1,6 +1,6 @@
 #!/bin/sh -
 #
-#	$OpenBSD: security,v 1.38 2000/07/23 19:49:17 rohee Exp $
+#	$OpenBSD: security,v 1.39 2000/10/06 17:35:30 aaron Exp $
 #	from: @(#)security	8.1 (Berkeley) 6/9/93
 #
 
@@ -18,7 +18,7 @@ OUTPUT=$DIR/_secure6
 
 if ! mkdir $DIR ; then
 	printf "tmp directory %s already exists, looks like:\n" $DIR
-	ls -alF $DIR
+	ls -alqF $DIR
 	exit 1
 fi