Package: dash Version: 0.5.11+git20200708+dd9ef66-5 Severity: important Control: tags -1 + security
Dear Maintainer, The option -- is not documented For instance, as every posix shell sh -c -x 'echo "$@"' echo foo is equivalent to sh -x -c 'echo "$@"' echo foo and not sh -c -- -x 'echo "$@"' echo foo That will execute -x as expected This corner case should be clearly documented and could have security implication if argument of sh -c is not filtered. Therefore -- style is prefered see https://www.austingroupbugs.net/view.php?id=1440#c5192 Bastien