Collin Funk wrote: > every single unescaped string as a "security vulnerability".
Replicating every argument literally (like 'ls --literal') is not a security vulnerability. But it is an instance of "garbage in - garbage out": If the user passes, say, an ANSI escape sequence for clearing the terminal's screen, only low-quality implementations will replicate it on stdout literally. And even without escape sequences, there's a difference between $ rm 'the prime minister' /bin/rm: cannot remove the prime minister: No such file or directory and $ rm 'the prime minister' /bin/rm: cannot remove 'the prime minister': No such file or directory > However, for printing arguments given by the user No, the user is in general not aware of all arguments passed to all commands. In general, the user might be using or invoking a program A, that invokes a program B (with arguments that A has computed), that invokes C (with computed arguments again), and so on, until some of these programs invokes 'gzip'. When something goes wrong, the user will see the diagnostics from 'gzip', but the user is not the one who provided / understood / acknowledged the arguments passed to 'gzip'. Bruno
