The article does not address another significant point: filenames should also be classified as untrusted input. Using -- to separate flags from arguments can help:

    /tmp$ mkdir x
    /tmp$ cd x
    /tmp/x$ echo hello > a 
    /tmp/x$ grep hello *
    hello
    /tmp/x$ touch -- -q 
    /tmp/x$ grep hello *
    /tmp/x$ grep hello -- *
    a:hello
    /tmp/x$

It's rare to see protection against this problem either when shelling out or in native shell scripts.

Your quoting of "$0" does not protect it from the shell. An attacker need only provide an input such as: /tmp"; rm -rf /; "

There are pipeline libraries that avoid the shell for several languages. Some I can recommend:

* libpipeline http://libpipeline.nongnu.org/ easy, if somewhat verbose, pipeline construction in C.

* hsh https://github.com/jgoerzen/hsh/wiki makes pipelines in haskell, using operators so they really look like pipelines, but without involving the shell. Example: "ls -l" -|- "wc -l"

Your quoting of "$0" does not protect it from the shell. An attacker need only provide an input such as: /tmp"; rm -rf /; "

Not true.

  $ sh -c 'ls "$0"' '/tmp"; rm -rf /; "'
  ls: cannot access /tmp"; rm -rf /; ": No such file or directory

If you were right, there would be no reasonable way to write shell scripts.

My mistake, not knowing python's variable interpoltion well, I thought that the $0 was expanded by it, not the shell. Which, if it were the case, would indeed be vulnerable.

Isn't it a bit harsh to downvote to -1 a comment which links to two completly on-topic libraries?

Your comment would be correct if it were PHP.

I didn't downvote you, fwiw.