Re: Potential Argument Injection Issue in Cygwin's Command Line Handling

2025-02-11 Thread Brian Inglis via Cygwin
On 2025-02-10 19:09, Kaz Kylheku wrote: On 2025-02-10 12:32, Brian Inglis via Cygwin wrote: One can avoid any issues by running Cygwin programs only from other Cygwin programs, and Windows programs only from other Windows programs. Microsoft has provided a documented algorithm, which is imple

Re: Potential Argument Injection Issue in Cygwin's Command Line Handling

2025-02-10 Thread Kaz Kylheku via Cygwin
On 2025-02-03 22:15, Splitline Huang via Cygwin wrote: > Hello Cygwin team, > > I am splitline from DEVCORE research team. I recently have observed an > inconsistency > in how Cygwin handles command-line parsing compared to Microsoft’s > implementation. Hi, I maintain a small fork of the Cygwin

Re: Potential Argument Injection Issue in Cygwin's Command Line Handling

2025-02-10 Thread Kaz Kylheku via Cygwin
On 2025-02-10 12:32, Brian Inglis via Cygwin wrote: > One can avoid any issues by running Cygwin programs only from other Cygwin > programs, and Windows programs only from other Windows programs. Microsoft has provided a documented algorithm, which is implemented in the ShellAPI function Command

Re: Potential Argument Injection Issue in Cygwin's Command Line Handling

2025-02-10 Thread Brian Inglis via Cygwin
On 2025-02-09 20:48, Splitline Ng via Cygwin wrote: Windows is security deficient in this area, not Cygwin. I'll quote myself to share my opinion: https://git.lighttpd.net/lighttpd/lighttpd1.4/src/branch/master/src/fdevent_win32.c#L543 * The Microsoft CreateProcess() interface is criminall

Re: Potential Argument Injection Issue in Cygwin's Command Line Handling

2025-02-09 Thread Splitline Ng via Cygwin
> Windows is security deficient in this area, not Cygwin. > > I'll quote myself to share my opinion: > https://git.lighttpd.net/lighttpd/lighttpd1.4/src/branch/master/src/fdevent_win32.c#L543 > * The Microsoft CreateProcess() interface is criminally broken. > * Forcing argument strings to

Re: Potential Argument Injection Issue in Cygwin's Command Line Handling

2025-02-04 Thread Glenn Strauss via Cygwin
On Wed, Feb 05, 2025 at 11:45:10AM +0800, Splitline Ng via Cygwin wrote: > Hi Marco, > > > $ python3.12 > > Python 3.12.8 (main, Jan 31 2025, 21:29:51) [GCC 12.4.0] on cygwin > > Type "help", "copyright", "credits" or "license" for more information. > > import subprocess > > subprocess.run([

Re: Potential Argument Injection Issue in Cygwin's Command Line Handling

2025-02-04 Thread Splitline Ng via Cygwin
Hi Marco, > $ python3.12 > Python 3.12.8 (main, Jan 31 2025, 21:29:51) [GCC 12.4.0] on cygwin > Type "help", "copyright", "credits" or "license" for more information. > import subprocess > subprocess.run(['./test.exe', '"', " a b c"]) > argv[0] = ./test > argv[1] = " > argv[2] = a b c >

Re: Potential Argument Injection Issue in Cygwin's Command Line Handling

2025-02-03 Thread Marco Atzeri via Cygwin
On 04/02/2025 07:15, Splitline Huang via Cygwin wrote: Hello Cygwin team, I am splitline from DEVCORE research team. I recently have observed an inconsistency in how Cygwin handles command-line parsing compared to Microsoft’s implementation. According to Microsoft’s documentation [1], the \" s

Potential Argument Injection Issue in Cygwin's Command Line Handling

2025-02-03 Thread Splitline Huang via Cygwin
Hello Cygwin team, I am splitline from DEVCORE research team. I recently have observed an inconsistency in how Cygwin handles command-line parsing compared to Microsoft’s implementation. According to Microsoft’s documentation [1], the \" sequence should always be interpreted as a literal double