Can "gawk -i extension" be made safer?

[Stephane Chazelas]

Hello,

as noted at
https://unix.stackexchange.com/questions/749645/how-to-safely-use-gawks-i-option

Doing things like:

gawk -i inplace '...' somefiles

Or:

gawk -i shellquote 'system("cmd -- " shellquote(...))'

Are security vulnerabilities if run from within directories
where we can't guarantee someone could not plant malicious files
called "inplace" or "inplace.awk" (or "shellquote",
"shellquote.awk").

That's because those extensions are looked-up in $AWKPATH which
by default has "." as the first directory to look for those
extensions in.

/tmp$ echo 'BEGIN{system("echo rm -rf ~"); exit}' > shellquote
/tmp$ gawk -i shellquote 'BEGIN{system("id -- " 
shellquote(ENVIRON["LOGNAME"]))}'
rm -rf /home/chazelas

Oops. (don't remove that echo!)

IMO, gawk -f file (or -E) should only look for "file" in the
current working directory (and not even fall back to searching
for "file.awk") as POSIX requires and gawk -i extension should
only look for extension (or extension.awk) in a $AWKPATH which
by default should not include any relative path.

But I acknowledge it may be too late to change that as some
users might already use gawk -f cmd and expect cmd (or cmd.awk)
to be looked up in $AWKPATH and some may use gawk -i lib and
expect the lib.awk in the current working directory to be
included.

But maybe a new -I as a safer version of -i could be introduced
that only looks up the extensions in the absolute directories of
$AWKPATH?

It should also be relatively safe to disable that $AWKPATH
lookup (and .awk suffix addition) for -f in -Wposix or
-Wtraditional mode.

Same for -E which is intended for #! /usr/bin/gawk -E shebangs
where looking up the file in $AWKPATH or adding that .awk
wouldn't make sense, 

-- 
Stephane