Collin Funk wrote:
> every single unescaped string as a "security vulnerability".

Replicating every argument literally (like 'ls --literal') is
not a security vulnerability. But it is an instance of "garbage in -
garbage out": If the user passes, say, an ANSI escape sequence for
clearing the terminal's screen, only low-quality implementations
will replicate it on stdout literally. And even without escape
sequences, there's a difference between
  $ rm 'the prime minister'
  /bin/rm: cannot remove the prime minister: No such file or directory
and
  $ rm 'the prime minister'
  /bin/rm: cannot remove 'the prime minister': No such file or directory

> However, for printing arguments given by the user

No, the user is in general not aware of all arguments passed to all
commands. In general, the user might be using or invoking a program A,
that invokes a program B (with arguments that A has computed), that
invokes C (with computed arguments again), and so on, until some
of these programs invokes 'gzip'. When something goes wrong, the user
will see the diagnostics from 'gzip', but the user is not the one
who provided / understood / acknowledged the arguments passed to 'gzip'.

Bruno






Reply via email to