Re: [FEATURE][PATCH] Complete local executables with ./ prefix, if prefix-needed is false

[Aaron Schrab <aaron@xxxxxxxxxx>]

At 16:50 -0800 07 Dec 2021, Bart Schaefer <schaefer@xxxxxxxxxxxxxxxx> wrote:
> On Tue, Dec 7, 2021 at 4:23 PM Aaron Schrab <aaron@xxxxxxxxxx> wrote:
>
> > The already existing uses of `prefix-needed` are ones that I don't think
> > setting it to false would cause any serious problems. But for this I
> > think it's fairly dangerous
>
> Hm.  I haven't applied the patch to see what effect it has, but it appears
> it would cause the "./" to be prefixed onto the command word?  If so,
> there's visible feedback; if not, the danger would be of invoking a command
> that's in $path instead of the intended local executable.
>
> So I'm not strongly concerned about danger; what is the behavior you'd find
> troubling?

My main concern is if someone would be in the habit of doing command 
completion and then hitting enter without looking at the results. If 
done when there's a typo in the prefix that was used it could complete 
to something from an untrusted directory instead.

Yes, this requires a few things to go wrong in just the right way for it 
to happen. But enabling this option would generally be a one-time thing 
for a user, and they may not consider this type of case at the time, and 
after awhile even forget about it.