On Mon, Nov 22, 2010 at 10:33 AM, Марк Коренберг <socketp...@gmail.com> wrote:
> in latest bash:
>
> suppose script:
>
> for i in "${filenam...@]}"; do
> echo "$i"
> done
>
> if malicious user give file name "-e", empty string will be emitted to
> stdout, but string "-e" should.
>
> It will be nice if I cat write
> echo -- "$i"
> as many tool, such as grep, use.
>
> Now, I replace echo "$i" with printf "%s\n" "$i", but it is
> workaround, as I think.
>
> --
> Segmentation fault
>
>
It's one of the known problem with echo.
SUS specifically says that -- should not do that, that echo is not
portable and that "New applications are encouraged to use printf
instead of echo".
So printf is more than a workaround, it's the way to go.
