|
Message-ID: <ZyukRn2-8UWsW7aX@nihonium> Date: Wed, 6 Nov 2024 18:15:50 +0100 From: Fay Stegerman <flx@...usk.net> To: oss-security@...ts.openwall.com Subject: Re: shell wildcard expansion (un)safety * Eli Schwartz <eschwartz@...too.org> [2024-11-06 05:42]: > On 11/5/24 11:12 PM, Solar Designer wrote: > > So there's no bug in the shells here, but bugs of this kind are common > > in shell usage (omitting the "--" argument where it's needed, usage of > > wildcard expansion where that is unnecessary, etc.) > > > > Can the shells do anything to mitigate this? I think not without > > breaking compatibility. The only not-too-unreasonable change I can > > think of is wildcard expansion prefixing filenames with "./", maybe only > > those that start with "-" and maybe not when used with builtin "echo". > > Well, to be fair the shell already does exactly this if you do > > grep text ./* And shellcheck will warn about this kind of bug and suggest doing exactly that or using "--": $ cat x.sh #!/bin/bash grep text * $ shellcheck x.sh In x.sh line 2: grep text * ^-- SC2035 (info): Use ./*glob* or -- *glob* so names with dashes won't become options. For more information: https://www.shellcheck.net/wiki/SC2035 -- Use ./*glob* or -- *glob* so name... - Fay
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.