oss-sec mailing list archives
Re: shell wildcard expansion (un)safety
From: Fay Stegerman <flx () obfusk net>
Date: Wed, 6 Nov 2024 18:15:50 +0100
* Eli Schwartz <eschwartz () gentoo org> [2024-11-06 05:42]:
On 11/5/24 11:12 PM, Solar Designer wrote:So there's no bug in the shells here, but bugs of this kind are common in shell usage (omitting the "--" argument where it's needed, usage of wildcard expansion where that is unnecessary, etc.) Can the shells do anything to mitigate this? I think not without breaking compatibility. The only not-too-unreasonable change I can think of is wildcard expansion prefixing filenames with "./", maybe only those that start with "-" and maybe not when used with builtin "echo".Well, to be fair the shell already does exactly this if you do grep text ./*
And shellcheck will warn about this kind of bug and suggest doing exactly that
or using "--":
$ cat x.sh
#!/bin/bash
grep text *
$ shellcheck x.sh
In x.sh line 2:
grep text *
^-- SC2035 (info): Use ./*glob* or -- *glob* so names with dashes won't become options.
For more information:
https://www.shellcheck.net/wiki/SC2035 -- Use ./*glob* or -- *glob* so name...
- Fay
Current thread:
- Re: shell wildcard expansion (un)safety, (continued)
- Re: shell wildcard expansion (un)safety Steffen Nurpmeso (Nov 07)
- Re: shell wildcard expansion (un)safety Steffen Nurpmeso (Nov 07)
- Re: shell wildcard expansion (un)safety Mats Wichmann (Nov 07)
- Re: shell wildcard expansion (un)safety Steffen Nurpmeso (Nov 07)
- Re: shell wildcard expansion (un)safety Solar Designer (Nov 07)
- Re: shell wildcard expansion (un)safety Steffen Nurpmeso (Nov 15)
- Re: shell wildcard expansion (un)safety Fay Stegerman (Nov 06)
- Re: shell wildcard expansion (un)safety Dominik Czarnota (Nov 08)
- Re: shell wildcard expansion (un)safety Eli Schwartz (Nov 10)
- Re: shell wildcard expansion (un)safety Jeroen Roovers (Nov 10)
- Re: shell wildcard expansion (un)safety Fay Stegerman (Nov 10)