[Info-vax] Command Line Versus Command Line

Craig A. Berry craigberry at nospam.mac.com
Fri May 24 12:45:27 EDT 2024 

On 5/24/24 10:28 AM, Arne Vajhøj wrote:
> On 5/24/2024 11:11 AM, Michael S wrote:
>> On Fri, 24 May 2024 09:42:49 -0400
>> Arne Vajhøj <arne at vajhoej.dk> wrote:
>>> On 5/24/2024 9:32 AM, Michael S wrote:
>>>> On Fri, 24 May 2024 08:13:04 -0400
>>>> Arne Vajhøj <arne at vajhoej.dk> wrote:
>>>>> As illustrated by the Rust issue.
>>>>
>>>> I was not able to figure out what exactly Rust guys were trying to
>>>> achieve. Feeding cmd.exe with command line from untrusted source and
>>>> expecting no harm sounds like mission impossible.
>>>> That is, impossible when you run cmd.exe under privileged account.
>>>> It is possible when you run it under sufficiently deprived account,
>>>> but that is orthogonal to parsing of command line.
>>>
>>> To my very limited understanding then the problem was that:
>>>
>>> Command::new("program").arg("a1").arg("a2")
>>>
>>> ended up as:
>>>
>>> program a1 a2
>>>
>>> not:
>>>
>>> program "a1" "a2"
>>>
>>> which is fine but is also meant that:
>>>
>>> Command::new("program").arg("a1").arg("a2 x y z")
>>>
>>> ended up as:
>>>
>>> program a1 a2 x y z
>>>
>>> not:
>>>
>>> program "a1" "a2 x y z"
>>>
>>> which is not so fine.
>>>
>>> It is definitely a functional problem.
>>>
>>> And if the security depends on program treating the two
>>> arguments securely, then it is also a security problem.
>>
>> It seems like the simplest solution is to not try to run batch files by
>> means of spawn("cmd.exe", ...) or CreateProcess("cmd.exe", ...).
>> They could have use more specialized function: system() from C RTL or
>> ShellExecuteEx() from Win32 API. The former is easier to use, the later
>> works as expected in wider range of host console environments, most
>> importantly, it works from mintty.
> 
> Both system and ShellExecuteEx still take all parameters as a single
> string, which require some non-trivial conversion from array of
> parameters to that string.

The Windows CRT has _spawn() [1] which looks pretty similar to
posix_spawn() [2].  With either one you pass arguments or an array of
arguments rather than a complete command line.  From the docs it sounds
like on Windows the arguments get concatenated under the hood, but at
least "someone else" is doing that rather than each program having to
take responsibility for it.

There was a mention sometime in the last couple of years that
posix_spawn() is being added to the VMS CRTL.

[1] 
https://learn.microsoft.com/en-us/cpp/c-runtime-library/spawn-wspawn-functions?view=msvc-170

[2] 
https://pubs.opengroup.org/onlinepubs/9699919799.2013edition/functions/posix_spawn.html

More information about the Info-vax mailing list