On Fri, Jun 12, 2015 at 8:32 AM, Stanislav Brabec <sbrabec@suse.com> wrote:
> "sed -i -" does not fail, but it also does not do what one would expect.
> Document it, as it could have security implications:
>
> Example:
> The sed command below looks broken, but it is executed and succeeds:
>
> ln -s /etc/passwd -- -
> echo root | sed -i --follow-symlinks s/root/parrot/ -
>
> Signed-off-by: Stanislav Brabec <sbrabec@suse.cz>
> ---
>  doc/sed-in.texi | 1 +
>  1 file changed, 1 insertion(+)
>
> diff --git a/doc/sed-in.texi b/doc/sed-in.texi
> index 0e10cde..c8f1289 100644
> --- a/doc/sed-in.texi
> +++ b/doc/sed-in.texi
> @@ -180,6 +180,7 @@ sed OPTIONS... [SCRIPT] [INPUTFILE...]
>  @end example
>
>  If you do not specify @var{INPUTFILE}, or if @var{INPUTFILE} is @file{-},
> +and @option{-i} is not used,
>  @command{sed} filters the contents of the standard input.  The @var{script}
>  is actually the first non-option parameter, which @command{sed} specially
>  considers a script and not an input file if (and only if) none of the

Thank you for the patch.
However, rather than documenting this surprising behavior,
I propose to remove the anomaly altogether with the attached patch.
Does anyone see a reason to retain the behavior of treating "-"
like "./-"?