From dc3365628e24c98c95c68e5206acdf043c951e46 Mon Sep 17 00:00:00 2001
From: Bernhard Voelker <mail@bernhard-voelker.de>
Date: Sun, 23 Mar 2025 23:29:36 +0100
Subject: [PATCH] find: issue a warning for wrongly accepted operators like
 '-!'

In the current implementation, GNU find accepts the operators '!', ',',
'(' and ')' with a leading dash, e.g. '-!'.
Let's issue a warning to see if anyone relies on that odd behavior.
With a later release, let's fix the parser, and not accept these anymore.

* find/parser.c (find_parser): Issue a warning in the case one of the
above operators has been passed with a leading '-'.
* tests/find/operators-wrong-with-dash.sh: Add test.
* tests/local.mk (sh_tests): Reference it.
* NEWS (Changes in find): Mention the change in behavior.

Discussed at:
https://lists.gnu.org/r/bug-findutils/2025-03/msg00005.html
---
 NEWS                                    |  4 +++
 find/parser.c                           | 14 ++++++++++
 tests/find/operators-wrong-with-dash.sh | 37 +++++++++++++++++++++++++
 tests/local.mk                          |  1 +
 4 files changed, 56 insertions(+)
 create mode 100755 tests/find/operators-wrong-with-dash.sh

diff --git a/NEWS b/NEWS
index 5b32c9fc..5df941d6 100644
--- a/NEWS
+++ b/NEWS
@@ -24,6 +24,10 @@ GNU findutils NEWS - User visible changes.      -*- outline -*- (allout)
   argument of the command to be run.  While POSIX allows this for -exec, this is
   deemed insecure as an attacker could influence which files could be found.
 
+  find now issues a warning when the punctuation operators '(', ')', '!' and ','
+  are passed with a leading dash, e.g. '-!'.  Future releases will not accept
+  that any more.  Accepting that was rather a bug "since the beginning".
+
 ** Documentation Changes
 
   The forthcoming Issue 8 of the POSIX standard will standardise "find
diff --git a/find/parser.c b/find/parser.c
index 4843a5d7..d2850c64 100644
--- a/find/parser.c
+++ b/find/parser.c
@@ -662,6 +662,20 @@ find_parser (const char *search_name)
     {
       if (strcmp (parse_table[i].parser_name, search_name) == 0)
         {
+          /* FIXME >4.11: fix parser to disallow dashed operators like '-!'.
+           * Meanwhile, issue a warning.  */
+          if (   (original_arg < search_name) /* with '-' */
+              && (ARG_PUNCTUATION == parse_table[i].type)
+              && (   search_name[0] == '!' || search_name[0] == ','
+                  || search_name[0] == '(' || search_name[0] == ')')
+              && (search_name[1] == '\0'))
+            {
+              error (0, 0,
+                     _("warning: operator '%s' (with leading dash '-') will "
+                       "no longer be accepted in future findutils releases!"),
+                    original_arg);
+            }
+
           return found_parser (original_arg, &parse_table[i]);
         }
     }
diff --git a/tests/find/operators-wrong-with-dash.sh b/tests/find/operators-wrong-with-dash.sh
new file mode 100755
index 00000000..88079b2c
--- /dev/null
+++ b/tests/find/operators-wrong-with-dash.sh
@@ -0,0 +1,37 @@
+#!/bin/sh
+# Verify behavior for '-!', '-,', '-(', and '-)'.
+
+# Copyright (C) 2025 Free Software Foundation, Inc.
+
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see <https://www.gnu.org/licenses/>.
+
+. "${srcdir=.}/tests/init.sh"; fu_path_prepend_
+print_ver_ find
+
+# Versions before and including 4.10 accepted the above mentioned operator
+# options (with a leading dash '-').
+# Findutils 4.11 issues a warning.
+
+cat <<\EOF > exp || framework_failure_
+find: warning: operator '-(' (with leading dash '-') will no longer be accepted in future findutils releases!
+find: warning: operator '-!' (with leading dash '-') will no longer be accepted in future findutils releases!
+find: warning: operator '-,' (with leading dash '-') will no longer be accepted in future findutils releases!
+find: warning: operator '-)' (with leading dash '-') will no longer be accepted in future findutils releases!
+EOF
+
+find '-(' '-!' -not -type c -, -type b '-)' 2>err || fail=1
+cat err
+compare exp err || fail=1
+
+Exit $fail
diff --git a/tests/local.mk b/tests/local.mk
index f04af96b..203ccf20 100644
--- a/tests/local.mk
+++ b/tests/local.mk
@@ -122,6 +122,7 @@ sh_tests = \
   tests/find/printf_escapechars.sh \
   tests/find/printf_escape_c.sh \
   tests/find/printf_inode.sh \
+  tests/find/operators-wrong-with-dash.sh \
   tests/find/execdir-fd-leak.sh \
   tests/find/exec-plus-last-file.sh \
   tests/find/files0-from.sh \