[Info-vax] Command Line Versus Command Line
Michael S
already5chosen at yahoo.com
Fri May 24 12:05:40 EDT 2024
On Fri, 24 May 2024 11:28:05 -0400
Arne Vajhøj <arne at vajhoej.dk> wrote:
> On 5/24/2024 11:11 AM, Michael S wrote:
> > On Fri, 24 May 2024 09:42:49 -0400
> > Arne Vajhøj <arne at vajhoej.dk> wrote:
> >> On 5/24/2024 9:32 AM, Michael S wrote:
> >>> On Fri, 24 May 2024 08:13:04 -0400
> >>> Arne Vajhøj <arne at vajhoej.dk> wrote:
> >>>> As illustrated by the Rust issue.
> >>>
> >>> I was not able to figure out what exactly Rust guys were trying to
> >>> achieve. Feeding cmd.exe with command line from untrusted source
> >>> and expecting no harm sounds like mission impossible.
> >>> That is, impossible when you run cmd.exe under privileged account.
> >>> It is possible when you run it under sufficiently deprived
> >>> account, but that is orthogonal to parsing of command line.
> >>>
> >>
> >> To my very limited understanding then the problem was that:
> >>
> >> Command::new("program").arg("a1").arg("a2")
> >>
> >> ended up as:
> >>
> >> program a1 a2
> >>
> >> not:
> >>
> >> program "a1" "a2"
> >>
> >> which is fine but is also meant that:
> >>
> >> Command::new("program").arg("a1").arg("a2 x y z")
> >>
> >> ended up as:
> >>
> >> program a1 a2 x y z
> >>
> >> not:
> >>
> >> program "a1" "a2 x y z"
> >>
> >> which is not so fine.
> >>
> >> It is definitely a functional problem.
> >>
> >> And if the security depends on program treating the two
> >> arguments securely, then it is also a security problem.
> >
> > It seems like the simplest solution is to not try to run batch
> > files by means of spawn("cmd.exe", ...) or CreateProcess("cmd.exe",
> > ...). They could have use more specialized function: system() from
> > C RTL or ShellExecuteEx() from Win32 API. The former is easier to
> > use, the later works as expected in wider range of host console
> > environments, most importantly, it works from mintty.
>
> Both system and ShellExecuteEx still take all parameters as a single
> string, which require some non-trivial conversion from array of
> parameters to that string.
>
> Arne
>
Conversion is actually trivial - dumb double-quoting.
There is an opposite problem - the child will get parameters together
with double quotes.
But at least the biggest of their problems (complicated undocumented
rules of cmd.exe) goes away. The rule, applied by CommandLineToArgv()
are non-complicated and documented.
More information about the Info-vax
mailing list