Follow-up Comment #4, bug #64816 (project findutils):
> Actually, NUL-terminated processing is the safest way of > file name processing with tools in shells Yes, but most of the POSIX shell and utilities have no support for printing or reading NUL delimited, it's only GNU extensions (well there will actually be some limited support in the next revision of POSIX, see https://austingroupbugs.net/view.php?id=243 ... but as far as I can see, this is only for xargs and read). So once POSIX' read has -d (as specified now in POSIX and e.g. already used in bash) it will be possible to read a list of NUL delimited strings into shell variables. But most other standard utilities like grep, sed, wc or shell language elements like command substitution do not support NUL delimited modes. Thus many things will still not be possible. > The point here is that the output should be safe no matter > what malicious file an attacker might have placed, i.e., it > should not disturb the terminal settings. Isn't that also what I'm asking for with a --quoting-style= option? If quoted properly, the output could be re-used as literal in the shell, without the need to read everything line by line with the future IFS='' read -r -d '' ... and even with that some things will still be impossible, e.g. re-use the read string in eval, since POSIX' printf won't have %q yet. _______________________________________________________ Reply to this item at: <https://savannah.gnu.org/bugs/?64816> _______________________________________________ Message sent via Savannah https://savannah.gnu.org/
