> Wouldn't you need to have some process which was passing untrusted data > directly to the `-f` argument, is that likely in the real world?
It may not be likely, but anything that makes a command line tool crash or output weird data after being fed unfiltered command line input is not a good situation. I could see a situation where this might be exploited in a script to give bad results or kill the wrong process. So it's probably low risk, but I'd like to reduce that risk further.
