Unsanitized wildcards or special matching symbols in user-provided strings can enable attacks and lead to unwanted behavior, including unwanted filesystem access and denial of service.