[Info-vax] Command Line Versus Command Line
Michael S
already5chosen at yahoo.com
Fri May 24 11:11:25 EDT 2024
On Fri, 24 May 2024 09:42:49 -0400
Arne Vajhøj <arne at vajhoej.dk> wrote:
> On 5/24/2024 9:32 AM, Michael S wrote:
> > On Fri, 24 May 2024 08:13:04 -0400
> > Arne Vajhøj <arne at vajhoej.dk> wrote:
> >> As illustrated by the Rust issue.
> >
> > I was not able to figure out what exactly Rust guys were trying to
> > achieve. Feeding cmd.exe with command line from untrusted source and
> > expecting no harm sounds like mission impossible.
> > That is, impossible when you run cmd.exe under privileged account.
> > It is possible when you run it under sufficiently deprived account,
> > but that is orthogonal to parsing of command line.
> >
>
> To my very limited understanding then the problem was that:
>
> Command::new("program").arg("a1").arg("a2")
>
> ended up as:
>
> program a1 a2
>
> not:
>
> program "a1" "a2"
>
> which is fine but is also meant that:
>
> Command::new("program").arg("a1").arg("a2 x y z")
>
> ended up as:
>
> program a1 a2 x y z
>
> not:
>
> program "a1" "a2 x y z"
>
> which is not so fine.
>
> It is definitely a functional problem.
>
> And if the security depends on program treating the two
> arguments securely, then it is also a security problem.
>
> Arne
>
>
>
>
It seems like the simplest solution is to not try to run batch files by
means of spawn("cmd.exe", ...) or CreateProcess("cmd.exe", ...).
They could have use more specialized function: system() from C RTL or
ShellExecuteEx() from Win32 API. The former is easier to use, the later
works as expected in wider range of host console environments, most
importantly, it works from mintty.
More information about the Info-vax
mailing list