# [Solved][BASH] problem with files starting with a hyphen "-"

## ViciousFrank

Hi Gentoo Users !

I have some problems with filenames starting with a hypen "-"... It looks like when * is used, all filenames starting with this characters are interpreted like options. Have a look :

```

~/test $ ls -l

total 8

drwxr-xr-x 2 cassistf cassistf 4096 Oct 16 16:13 -l

-rw-r--r-- 1 cassistf cassistf    1 Oct 16 16:13 toto.txt

~/test $ ls *

-rw-r--r-- 1 cassistf cassistf 1 Oct 16 16:13 toto.txt

~/test $ 

```

Did you notice that "ls *" seems to be interpreted like "ls -l toto.txt" ?

It looks to me like potential security problems! I did not change any configuration from the defaults that Gentoo gave me. Or maybe I did something wrong? Any clue?

Many thanks !

FrançoisLast edited by ViciousFrank on Thu Oct 16, 2008 11:30 pm; edited 1 time in total

----------

## easy target

Well, bash evaluates * to all files, i.e. "-l" and ls treats "-l" as command line option. Files should not start with "-". There is no way to tell ls that "-l" is a file (or dir) unless it is prefixed with path (e.g. "./-l").

----------

## yabbadabbadont

Try 

```
ls -- *
```

----------

## i92guboj

 *easy target wrote:*   

> Well, bash evaluates * to all files, i.e. "-l" and ls treats "-l" as command line option. Files should not start with "-". There is no way to tell ls that "-l" is a file (or dir) unless it is prefixed with path (e.g. "./-l").

 

There's one for most commands. As yabbadabbadont said, the string "--" is used on some of them to terminate the options list. However, I would avoid such names for a file when possible. Some non-standard tools might not be that happy about such kind of file names.

----------

## ViciousFrank

yabba, -- seems to work fine. Thanks for the tip!

Easy target, I do not understand why "\-l" could not work, like we do with "\&" (maybe it's only Bash parsing the string before it calls the commands)... Also I did not choose the name of files starting with "-", I think it's ugly too, but it was in another person files...

I think this is a security issues, since it permits a certain form of code injection... By example with some "-exec" filename followed by a command filename. And it looks like this problem is in BASH in general and not a bad configuration from Gentoo. I continuing to think that it is a dangerous problem because "*" may be considered safe by most people since it already protect certain characters.

Thanks for your answers !

----------

## i92guboj

 *Quote:*   

> Easy target, I do not understand why "\-l" could not work, like we do with "\&"

 

Escaping a character is a simple mechanism to prevent the shell from interpreting special characters before they reach the application. The hyphen is not a special character in bash, and it's not intercepted/interpreted by bash. It reaches the application, and it's the application and not the shell who decides that "-something" is a special option and not a file name or anything else.

There's absolutely nothing that the shell can do about that. That's why escaping can never help on this concrete case.

----------

## ViciousFrank

That's what I thought later about the BASH parser... And replacing "-l" by "[pathtofile]/-l" will cause problems either in other utilisation cases.

I should think to add -- in my futures scripts...   :Sad: 

Anyway, thanks a lot !

Frank

----------

## Hu

 *ViciousFrank wrote:*   

> 
> 
> I should think to add -- in my futures scripts...  
> 
> 

 

It would be safer to use ./* rather than -- *.  The former ensures that the called application sees a leading ./, which should avoid the option parser in all sane programs.  The latter relies on the called application to understand the convention that -- signals an end to arguments.  Some applications may not understand this, and will continue accepting "options" that appear after the --.

----------

## easy target

 *i92guboj wrote:*   

> There's one for most commands. As yabbadabbadont said, the string "--" is used on some of them to terminate the options list. However, I would avoid such names for a file when possible. Some non-standard tools might not be that happy about such kind of file names.

 

OK, I haven't thought about that :).

----------

## UberLord

 *Hu wrote:*   

> Some applications may not understand this, and will continue accepting "options" that appear after the --.

 

Such applications should be recorded to call getopt (3) or the GNU variant for long options.

----------

