Follow-up Comment #3, bug #65804 (group findutils):
Tilde-expansions can also expand to values relative to the current directory
and (worse) $OLDPWD and this is precisely the dangerous scenario that the
warning is concerned with. Note the second paragraph in this excerpt from
the manual page for Bash:
Tilde Expansion
If a word begins with an unquoted tilde char‐
acter (`~'), all of the characters preceding
the first unquoted slash (or all characters,
if there is no unquoted slash) are considered
a tilde-prefix. If none of the characters in
the tilde-prefix are quoted, the characters
in the tilde-prefix following the tilde are
treated as a possible login name. If this
login name is the null string, the tilde is
replaced with the value of the shell parame‐
ter HOME. If HOME is unset, the home direc‐
tory of the user executing the shell is sub‐
stituted instead. Otherwise, the tilde-pre‐
fix is replaced with the home directory asso‐
ciated with the specified login name.
If the tilde-prefix is a `~+', the value of
the shell variable PWD replaces the tilde-
prefix. If the tilde-prefix is a `~-', the
value of the shell variable OLDPWD, if it is
set, is substituted. If the characters fol‐
lowing the tilde in the tilde-prefix consist
of a number N, optionally prefixed by a `+'
or a `-', the tilde-prefix is replaced with
the corresponding element from the directory
stack, as it would be displayed by the dirs
builtin invoked with the tilde-prefix as an
argument. If the characters following the
tilde in the tilde-prefix consist of a number
without a leading `+' or `-', `+' is assumed.
If the login name is invalid, or the tilde
expansion fails, the word is unchanged.
_______________________________________________________
Reply to this item at:
<https://savannah.gnu.org/bugs/?65804>
_______________________________________________
Message sent via Savannah
https://savannah.gnu.org/
