Allow all CLI commands to take arguments from stdin or a file, to avoid caps being visible to other users

[davidsarah]

From code:docs/known_issues.txt :

command-line arguments are leaked to other local users

Remember that command-line arguments are visible to other users (through the ps command, or the windows Process Explorer tool), so if you are using a Tahoe-LAFS node on a shared host, other users on that host will be able to see (and copy) any caps that you pass as command-line arguments. This includes directory caps that you set up with the "tahoe add-alias" command. Use "tahoe create-alias" for that purpose instead.

how to manage it

Bypass add-alias and edit the NODEDIR/private/aliases file directly, [...] By entering the dircap through the editor, the command-line arguments are bypassed, and other users will not be able to see them. [...]

Starting in Tahoe-LAFS v1.3.0, there is a "tahoe create-alias" command that does this for you.

This workaround using aliases is ugly -- adding a persistent alias for an argument that might only be used once has poor usability, leaving around aliases may constitute a privacy issue, and firing up an editor is quite a heavyweight solution.

Proposed feature: if a CLI command sees an argument of the form "@filename", then it substitutes the contents of that file into the command arguments in place of "@filename" (taking newlines as argument separators). "@" on its own does the same thing for standard input. If the file cannot be read then the command fails with no effect.

(In other words, @filename works similarly to the Unix shell syntax `cat filename`, except that the latter wouldn't solve the problem because it passes the file contents via the command line.)

The syntax @filename is chosen because it seems to be a semi-convention, at least in developer tools (e.g. MSVC++, javac, javadoc use it), and because @ does not need to be quoted on either Unix or Windows.