[Info-vax] Command Line Versus Command Line
Arne Vajhøj
arne at vajhoej.dk
Fri May 24 11:28:05 EDT 2024
On 5/24/2024 11:11 AM, Michael S wrote:
> On Fri, 24 May 2024 09:42:49 -0400
> Arne Vajhøj <arne at vajhoej.dk> wrote:
>> On 5/24/2024 9:32 AM, Michael S wrote:
>>> On Fri, 24 May 2024 08:13:04 -0400
>>> Arne Vajhøj <arne at vajhoej.dk> wrote:
>>>> As illustrated by the Rust issue.
>>>
>>> I was not able to figure out what exactly Rust guys were trying to
>>> achieve. Feeding cmd.exe with command line from untrusted source and
>>> expecting no harm sounds like mission impossible.
>>> That is, impossible when you run cmd.exe under privileged account.
>>> It is possible when you run it under sufficiently deprived account,
>>> but that is orthogonal to parsing of command line.
>>>
>>
>> To my very limited understanding then the problem was that:
>>
>> Command::new("program").arg("a1").arg("a2")
>>
>> ended up as:
>>
>> program a1 a2
>>
>> not:
>>
>> program "a1" "a2"
>>
>> which is fine but is also meant that:
>>
>> Command::new("program").arg("a1").arg("a2 x y z")
>>
>> ended up as:
>>
>> program a1 a2 x y z
>>
>> not:
>>
>> program "a1" "a2 x y z"
>>
>> which is not so fine.
>>
>> It is definitely a functional problem.
>>
>> And if the security depends on program treating the two
>> arguments securely, then it is also a security problem.
>
> It seems like the simplest solution is to not try to run batch files by
> means of spawn("cmd.exe", ...) or CreateProcess("cmd.exe", ...).
> They could have use more specialized function: system() from C RTL or
> ShellExecuteEx() from Win32 API. The former is easier to use, the later
> works as expected in wider range of host console environments, most
> importantly, it works from mintty.
Both system and ShellExecuteEx still take all parameters as a single
string, which require some non-trivial conversion from array of
parameters to that string.
Arne
More information about the Info-vax
mailing list