On Fri, Nov 19, 2021 at 12:53 PM Marshall Whittaker < marshallwhitta...@gmail.com> wrote:
> You could argue that bash should parse filenames globbed from * that start > with - and exclude them specifically, > Or a shell could prepend ./ to all globs relative globs. Not sure if that would change the behaviour of some program though. But you're free to write a shell or a patch to do something like that, and see if it gets any traction? I know at least zsh has some features to warn about doing things like rm *, but at least the version I tried doesn't seem to check for filenames that look like options. Though of course there's also the issue that some utilities take as options things that start with a plus, also. Like Bash's +O. > A short whitepaper on it has been made public at: > https://oxagast.org/posts/bash-wildcard-expansion-arbitrary-command-line-arguments-0day/ > complete with a mini PoC. > Given I just linked you two posts about that from 11 years ago, I fail to see how you could honestly consider that a "0-day" issue. Not that people falling into a decades-old trap is much better, actually, so it probably wouldn't be a bad thing if shells started warning about that.
