Re: optimal expansions?

[Stephane Chazelas <stephane@xxxxxxxxxxxx>]

2024-04-21 16:19:24 +0200, Roman Perepelitsa:
> On Sun, Apr 21, 2024 at 4:10 PM Ray Andrews <rayandrews@xxxxxxxxxxx> wrote:
> >
> > On 2024-04-21 05:23, Roman Perepelitsa wrote:
> >
> > Seems we want '-r' most of the time.  And the '--' should always be there.
> >
> > The missing `-r` is a bug. It should be there. The `--` in this case
> > is optional because the positional argument cannot start with a dash.
> >
> > But the '--' is good standard practice, yes?
> 
> You can call it that. It's one of those standard practices that I
> don't follow, but if you find the trade-off palatable, go for it.
[...]

I would urge you to reconsider, especially for the "print"
built-in of zsh.

print $external_data

or

print -r $external_data

is a command injection vulnerability.

$ external_data='-vpsvar[1$(reboot)]' zsh -c 'print -r $external_data'
System going down for reboot now.

(I have actually singled-out zsh's print for that at
https://unix.stackexchange.com/questions/11376/what-does-double-dash-double-hyphen-mean/590210#590210)

-- 
Stephane