This is known since even earlier by the article/disclosure „unix wildcards
gone wild”:
https://seclists.org/fulldisclosure/2014/Jun/136

The original article link seems to not work but it can be seen e.g. here:
https://github.com/Gandosha/gandosha.github.io/blob/master/DefenseCode_Unix_WildCards_Gone_Wild.txt

It shows that in some cases this can lead to code execution, e.g. with „tar
*”

On Fri, 8 Nov 2024 at 18:47, Georgi Guninski <ggunin...@gmail.com> wrote:

> This is known since at least 2019, but the distro list can't tell
> vulnerability from a rant [1] [2]
>
> `grep text -- *` is not portable solution, since not all warez recognize
> --.
>
> e.g.:
>
> $find . --
> find: unknown predicate `--'
>
>
> [1] Shell wildcards considered dangerous?
> https://seclists.org/oss-sec/2019/q4/133
>
> [2]
> https://www.linkedin.com/pulse/careful-wildcards-linux-rm-georgi-guninski-ieaif
>

Reply via email to