This is known since even earlier by the article/disclosure „unix wildcards gone wild”: https://seclists.org/fulldisclosure/2014/Jun/136
The original article link seems to not work but it can be seen e.g. here: https://github.com/Gandosha/gandosha.github.io/blob/master/DefenseCode_Unix_WildCards_Gone_Wild.txt It shows that in some cases this can lead to code execution, e.g. with „tar *” On Fri, 8 Nov 2024 at 18:47, Georgi Guninski <ggunin...@gmail.com> wrote: > This is known since at least 2019, but the distro list can't tell > vulnerability from a rant [1] [2] > > `grep text -- *` is not portable solution, since not all warez recognize > --. > > e.g.: > > $find . -- > find: unknown predicate `--' > > > [1] Shell wildcards considered dangerous? > https://seclists.org/oss-sec/2019/q4/133 > > [2] > https://www.linkedin.com/pulse/careful-wildcards-linux-rm-georgi-guninski-ieaif >