Conversation

Notices

1. Embed this notice
   Alfred M. Szmidt (amszmidt@mastodon.social)'s status on Saturday, 10-May-2025 16:58:10 JST Alfred M. Szmidt

   in reply to

   • Lee Holmes :donor:
   • Lars Brinkhoff
   • acile :archlinux:

   @larsbrinkhoff We just make people use operating systems that are from a more civilized era.

   @0xba @Lee_Holmes

   • Embed this notice
     Lars Brinkhoff (larsbrinkhoff@mastodon.sdf.org)'s status on Saturday, 10-May-2025 16:58:11 JST Lars Brinkhoff

     in reply to

     • Lee Holmes :donor:
     • acile :archlinux:

     @0xba @Lee_Holmes This is the way. But honestly, can we expect people to remember that every time?

     I work with weird file names like -READ- -THIS- so I have learned to use -- in my scripts. Even so, I sometimes forget.

   • Embed this notice
     Lee Holmes :donor: (lee_holmes@infosec.exchange)'s status on Saturday, 10-May-2025 16:58:19 JST Lee Holmes :donor:

     in reply to

     I'm sure there's something here, but I don't have the patience to find it :)

   • Embed this notice
     acile :archlinux: (0xba@social.tchncs.de)'s status on Saturday, 10-May-2025 16:58:19 JST acile :archlinux:

     in reply to

     • Lee Holmes :donor:

     @Lee_Holmes did you try 'exec find *' ?
     Anyway "find *" would be very unusual to call.

     To extend this, this issue is addressed by many core utils with the "--" argument which says, after this occurrence no further options are accepted. Always use this in shell scripts! In particular when you do not sanitize the input properly before (like with the shell expansion *). E g. "ls -- *"

   • Embed this notice
     Lee Holmes :donor: (lee_holmes@infosec.exchange)'s status on Saturday, 10-May-2025 16:58:20 JST Lee Holmes :donor:

     It makes me super uncomfortable that globbing in Bash can turn into code execution. The fact that the name of a file can change the behavior of ls is scary. This also works for other commands that you tend to glob with, such as rm.