#980876 dash: Document -- option particularly with sh -c and security implication

Package:
dash
Source:
dash
Description:
POSIX-compliant shell
Submitter:
"Bastien Roucariès"
Date:
2021-01-24 09:03:06 UTC
Severity:
important
Tags:
#980876#5
Date:
2021-01-23 16:01:48 UTC
From:
To:
Dear Maintainer,

The option -- is not documented

For instance, as every posix shell
sh -c  -x 'echo "$@"' echo foo
is equivalent to
sh -x -c 'echo "$@"' echo foo
and not
sh -c -- -x 'echo "$@"' echo foo
That will execute -x as expected

This corner case should be clearly documented and could have security implication if argument of sh -c is not filtered.
Therefore -- style is prefered

see https://www.austingroupbugs.net/view.php?id=1440#c5192

Bastien

#980876#12
Date:
2021-01-24 08:58:57 UTC
From:
To:
Hi,

BTW -c should be better documented as in bash mentioning the first non
option arguments:
 -c        If the -c option is present, then commands are read from
the first non-option argument command_string.  If there are arguments
after the command_string,