So... 32 chars of 64 possibilities [64^32] compared to:
31 chars of 64 possibilities and one char of 63 possibilities [64^31*63]
just for the visual effect:
The real problem comes in if the "-" creates a problem anywhere within base64 encoding.
If that is the case... then there is about a 50% chance that would happen and would significantly impact the entire process [a definite deal breaker].
AFAIK quotes won't cut it, as mentioned earlier in this thread you need to "end" the parsing of dash-prefixed arguments to the command by using --. After -- you can enter all the options you want startiing with a dash, it won't get parsed as a "regular option" (e.g. -p).
Anyway, Let's Encrypt has issued 2 498 820 194 certificates between 2015-10-08 and yesterday. Which is.. Well.. A LOT! And only two (!!) complaints in this seven (!!) years of issuance. So I guess it's not that big a deal in the grant scheme of things.
The distinction in your example above is actually the > which is processed by the shell in such a way that the program to the left of the > redirection does not see the single token that follows the > at all. It's not specifically about the behavior of the cat or echo programs.
@schoen That > was just to generate the -bar file, not actually part of the demonstration. I tried to demonstrate that cat does not like files beginning with a dash and interprets it as option arguments, even with quotes around it. And that the double dash fixes everything
Isn't it actually a 32 byte array (256 bits), which results in 43 6-bit Base64url characters (where the last character only uses 4 of 6 bits)? ^^
So the number of regular possibilities would be: 2^256 = 1.1579208924e+77
When using Base64url and the first character mustn't start with a dash, that would mean for the first group of 6 bits there is one less possibility, which would mean: (2^6-1)*2^(256-6) = 1.1398283784e+77
(The loss is the same (1-63/64): 1.5625 %)
However, it might be harder to generate a random number for a range which isn't a power of two, especially for security purposes (e.g. generate it in constant time and balanced); in that case it might be necessary to omit a full bit, which would mean 2^255 = 5.7896044619e+76
cat -- -bar is a valid construction to avoid this issue, though depending on what command you're running -- may not be universally supported. Another potential option is to use a relative path like ./-bar or an absolute path like /tmp/foo/-bar, depending on what's easiest for your script. So long as the program takes a filename, that's more universal.