DMARC-Filter:	OpenDMARC Filter v1.4.2 delorie.com 50A7Ucdk1426493
Authentication-Results:	delorie.com; dmarc=pass (p=none dis=none) header.from=cygwin.com
Authentication-Results:	delorie.com; spf=pass smtp.mailfrom=cygwin.com
DKIM-Filter:	OpenDKIM Filter v2.11.0 delorie.com 50A7Ucdk1426493
Authentication-Results:	delorie.com;
	dkim=pass (1024-bit key, unprotected) header.d=cygwin.com header.i=@cygwin.com header.a=rsa-sha256 header.s=default header.b=ja6/3t5U
X-Recipient:	archive-cygwin AT delorie DOT com
DKIM-Filter:	OpenDKIM Filter v2.11.0 sourceware.org 711763858D20
DKIM-Signature:	v=1; a=rsa-sha256; c=relaxed/relaxed; d=cygwin.com;
	s=default; t=1736494236;
	bh=ivmogIvdvxQbNkZpqrxSUIE4VNXxbJwsfh3kdYD+Rcc=;
	h=Date:To:Subject:List-Id:List-Unsubscribe:List-Archive:List-Post:
	List-Help:List-Subscribe:From:Reply-To:From;
	b=ja6/3t5UYxcPBLBDx8UcZy6ls3/u0/yZS05k83gjBG0ejtNL9UUIzcveMX9fHqmPr
	QyEh/B4xE1BMCxNXMEJ4E2B19RlTD6jQFlqDEGm0zgX0dE0p09bG6AWKSnhRB99vBT
	pC/6kA1kxudJkvKUq0j76u/qAiYVFBIMEoE/eUes=
X-Original-To:	cygwin AT cygwin DOT com
Delivered-To:	cygwin AT cygwin DOT com
DMARC-Filter:	OpenDMARC Filter v1.4.2 sourceware.org E5983385843B
ARC-Filter:	OpenARC Filter v1.0.0 sourceware.org E5983385843B
ARC-Seal:	i=1; a=rsa-sha256; d=sourceware.org; s=key; t=1736494205; cv=none;
	b=tbKEBeoiFCReOzGJCcywSizzV3HU/MfVdPQbimZo+fT48G50RA3srtN4tLih/yQSWF2MunEmCeaE2Fso0U41lzJv1zwlr6xapehtN2FpWQtINjLkmIspGn8lMz50WswoVfyX1nX6O2fxPwyWMSZwGz/OuxIk12qK8Zr5xSXxIqo=
ARC-Message-Signature:	i=1; a=rsa-sha256; d=sourceware.org; s=key;
	t=1736494205; c=relaxed/simple;
	bh=2xuIjOq0shFtKuRRHmN7QLfT9At32pvLah994fj68T8=;
	h=MIME-Version:Date:From:To:Subject:Message-ID;
	b=HJDYAjdjOEAlTSHXvKZRfuinhGezrz5UTfMY1e1L3Oq9zynf7wJnNwEXu2JWl8Q2X/FmV+H6jcGMqmw+bBL1QMlwIw7X15L+2mctsxhsboZ9dvszYPr6F1dMtrrYI6RTX8Lsvvyb84/l2eOCNasrhn8wg8zpr/meBFBfpucUh28=
ARC-Authentication-Results:	i=1; server2.sourceware.org
DKIM-Filter:	OpenDKIM Filter v2.11.0 sourceware.org E5983385843B
MIME-Version:	1.0
Date:	Thu, 09 Jan 2025 23:29:21 -0800
To:	cygwin AT cygwin DOT com
Subject:	Cygwin main function: vulnerable to wchar_t to char conversion
	attacks or not?
User-Agent:	Roundcube Webmail/1.4.15
Message-ID:	<2bc465c57c4826ff6eebbd566a92346e@kylheku.com>
X-Sender:	kaz AT kylheku DOT com
X-MagicMail-OS:	Unknown
X-MagicMail-UUID:	b4bb71d4-cf24-11ef-a49f-00505695d298
X-MagicMail-Authenticated:	fuck DOT telus AT novus DOT ca
X-MagicMail-SourceIP:	104.37.63.7
X-MagicMail-RegexMatch:	1
X-MagicMail-EnvelopeFrom:	<fuck DOT telus AT novus DOT ca>
X-BeenThere:	cygwin AT cygwin DOT com
X-Mailman-Version:	2.1.30
List-Id:	General Cygwin discussions and problem reports <cygwin.cygwin.com>
List-Archive:	<https://cygwin.com/pipermail/cygwin/>
List-Post:	<mailto:cygwin AT cygwin DOT com>
List-Help:	<mailto:cygwin-request AT cygwin DOT com?subject=help>
List-Subscribe:	<https://cygwin.com/mailman/listinfo/cygwin>,
	<mailto:cygwin-request AT cygwin DOT com?subject=subscribe>
From:	Kaz Kylheku via Cygwin <cygwin AT cygwin DOT com>
Reply-To:	Kaz Kylheku <kaz AT kylheku DOT com>
Sender:	"Cygwin" <cygwin-bounces~archive-cygwin=delorie DOT com AT cygwin DOT com>

Hi all,

I'm reading an article on attacks that are evidently possible against some Windows
programs in the area of command line parsing. See below.

Does the Cygwin run-time rely on GetCommandLineA to get the char-based command
line that is parsed into argv[]?

If so, it could be vulnerable to attacks which embed Unicode quotes into the
command line, which GetCommandLineA normalizes to ASCII double quotes.

A program which prepares a command line will assiduously escape any double
quotes occurring in the arguments. But if fullwidth Unicode double quotes
occur in the arguments, they will be passed through verbatim, and then
turn into unescaped ASCII double quotes.

Article: https://blog.orange.tw/posts/2025-01-worstfit-unveiling-hidden-transformers-in-windows-ansi/

-- 
Problem reports:      https://cygwin.com/problems.html
FAQ:                  https://cygwin.com/faq/
Documentation:        https://cygwin.com/docs.html
Unsubscribe info:     https://cygwin.com/ml/#unsubscribe-simple

- Raw text -