[Info-vax] Command Line Versus Command Line
Lawrence D'Oliveiro
ldo at nz.invalid
Thu May 23 18:41:37 EDT 2024
On Thu, 23 May 2024 19:02:39 +0300, Michael S wrote:
> As far as Win32 CreateProcess() function is concerned, command line is
> just a string.
Which is what I said.
> If caller omits applicationName parameter then system
> does small amount of parsing to find application name in command line.
This is already starting to set off alarm bells ...
> But when caller provides applicationName parameter, which is a most
> logical thing to do in any non-interactive/non-shell scenario, then OS
> does not care at all about content of command line.
There is an issue if the program being executed is CMD.EXE itself. On
*nix, the same array-of-strings rule applies to a shell as to any other
program, but on Windows, the shell has to do its own parsing of the
command line. There was a security vulnerability recently that was related
to this: the vulnerability was present only on Windows, because of this
(mis)feature, not on *nix.
More information about the Info-vax
mailing list