From b97841b7825d94fe78cff82fea1c3941db5bef90 Mon Sep 17 00:00:00 2001
From: Thomas Schmitt <scdbackup@gmx.net>
Date: Sat, 21 Dec 2019 11:07:39 +0100
Subject: [PATCH] Shielded processing of user arguments against leading dashes

---
 xorriso-dd-target/xorriso-dd-target | 46 +++++++++++++++++------------
 1 file changed, 27 insertions(+), 19 deletions(-)

diff --git a/xorriso-dd-target/xorriso-dd-target b/xorriso-dd-target/xorriso-dd-target
index 4b20a983..73b676ce 100755
--- a/xorriso-dd-target/xorriso-dd-target
+++ b/xorriso-dd-target/xorriso-dd-target
@@ -162,22 +162,30 @@ xdt_round_down_div_million() {
 
 ## Check for harmless name or number in program argument
 xdt_check_parameter() {
-  if test "$2" = "device_name"
+  if test "X$2" = "Xdevice_name"
   then
-    if echo "$1" | grep '[^A-Za-z0-9_/-]' >/dev/null
+    if echo "X$1" | grep '[^A-Za-z0-9_/-]' >/dev/null
     then
       echo "SORRY: Given device name contains unexpected character. Ok: [A-za-z0-9_/-]" >&2
       return 12
+    elif echo "X$1" | grep '^X-' >/dev/null
+    then
+      echo "SORRY: Given device name begins by '-' character." >&2
+      return 15
     fi
-  elif test "$2" = "image_file"
+  elif test "X$2" = "Ximage_file"
   then
-    if echo "$1" | grep '[$`[*?<>|&!{\]' >/dev/null
+    if echo "X$1" | grep '[$`[*?<>|&!{\]' >/dev/null
     then
       echo "SORRY: Given image file name contains unexpected character. Not ok: "'[$`[*?<>|&!{\]' >&2
       return 15
+    elif echo "X$1" | grep '^X[-(]' >/dev/null
+    then
+      echo "SORRY: Given image file name begins by problematic character. Not ok: "'[-(]' >&2
+      return 15
     fi
   else
-    if echo "$1" | grep -v '^[0-9][0-9]*[0-9MGTmgt]$' >/dev/null
+    if echo "X$1" | grep -v '^X[0-9][0-9]*[0-9MGTmgt]$' >/dev/null
     then
       echo "SORRY: Number for $2 too short or bad character. Ok: [0-9][0-9MGTmgt]" >&2
       return 14
@@ -265,51 +273,51 @@ xdt_arg_interpreter() {
         xdt_min_size="$(expr $xdt_min_size + 1)"
       fi
       xdt_next_is=
-    elif test "$xdt_i" = "-list_all"
+    elif test "X$xdt_i" = "X-list_all"
     then
       xdt_list_all=y
       xdt_with_vendor_model=y
       xdt_show_reasons=y
-    elif test "$xdt_i" = "-list_long"
+    elif test "X$xdt_i" = "X-list_long"
     then
       xdt_do_list_long=y
-    elif test "$xdt_i" = "-plug_test"
+    elif test "X$xdt_i" = "X-plug_test"
     then
       xdt_do_plug_test=y
-    elif test "$xdt_i" = "-max_size"
+    elif test "X$xdt_i" = "X-max_size"
     then
       xdt_next_is="max_size"
-    elif test "$xdt_i" = "-min_size"
+    elif test "X$xdt_i" = "X-min_size"
     then
       xdt_next_is="min_size"
-    elif test "$xdt_i" = "-with_vendor_model"
+    elif test "X$xdt_i" = "X-with_vendor_model"
     then
       xdt_with_vendor_model=y
-    elif test "$xdt_i" = "-look_for_iso"
+    elif test "X$xdt_i" = "X-look_for_iso"
     then
       xdt_look_for_iso=y
-    elif test "$xdt_i" = "-with_sudo"
+    elif test "X$xdt_i" = "X-with_sudo"
     then
       xdt_with_sudo=y
-    elif test "$xdt_i" = "-image_file"
+    elif test "X$xdt_i" = "X-image_file"
     then
       xdt_next_is="image_file"
-    elif test "$xdt_i" = "-dummy"
+    elif test "X$xdt_i" = "X-dummy"
     then
       xdt_dummy_run=y
-    elif test "$xdt_i" = "-dummy_force"
+    elif test "X$xdt_i" = "X-dummy_force"
     then
       xdt_dummy_run=y
       xdt_do_write=y
       xdt_dummy_force=y
-    elif test "$xdt_i" = "-DO_WRITE"
+    elif test "X$xdt_i" = "X-DO_WRITE"
     then
       xdt_do_write=y
-    elif test "$xdt_i" = "-help"
+    elif test "X$xdt_i" = "X-help"
     then
       xdt_print_usage
       return 0
-    elif echo "$xdt_i" | grep -v '^-' >/dev/null
+    elif echo "X$xdt_i" | grep -v '^X-' >/dev/null
     then
       xdt_check_parameter "$xdt_i" device_name || return "$?"
       xdt_devs_named=y