delorie.com/archives/browse.cgi   search  
Mail Archives: cygwin/2025/01/10/02:35:33

DMARC-Filter: OpenDMARC Filter v1.4.2 delorie.com 50A7ZWC71427838
Authentication-Results: delorie.com; dmarc=pass (p=none dis=none) header.from=cygwin.com
Authentication-Results: delorie.com; spf=pass smtp.mailfrom=cygwin.com
DKIM-Filter: OpenDKIM Filter v2.11.0 delorie.com 50A7ZWC71427838
Authentication-Results: delorie.com;
dkim=pass (1024-bit key, unprotected) header.d=cygwin.com header.i=@cygwin.com header.a=rsa-sha256 header.s=default header.b=blL87dC4
X-Recipient: archive-cygwin AT delorie DOT com
DKIM-Filter: OpenDKIM Filter v2.11.0 sourceware.org D8C413858C3A
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cygwin.com;
s=default; t=1736494531;
bh=Uvr/9RAUtsGmxHLdR1NS1I7R6hQMyfoLZYeJaMMP7g8=;
h=Date:To:Subject:In-Reply-To:References:List-Id:List-Unsubscribe:
List-Archive:List-Post:List-Help:List-Subscribe:From:Reply-To:Cc:
From;
b=blL87dC4g41XHwq7HXMzU8uqxM44F58nuwzy/OgD84ZI/yWvDhRr7Nhu1u8tdLVcc
fNRxbVOFkEC77PrsxXSnOXIs4OlC4tEWBSIWxOVNE6EBsuu0Z1I0HBqazNaWhav88w
VBXPS+/WrJLzYBGqsSF+br1/EJ0DTSGbyTfiwAhE=
X-Original-To: cygwin AT cygwin DOT com
Delivered-To: cygwin AT cygwin DOT com
DMARC-Filter: OpenDMARC Filter v1.4.2 sourceware.org C91843858D20
ARC-Filter: OpenARC Filter v1.0.0 sourceware.org C91843858D20
ARC-Seal: i=1; a=rsa-sha256; d=sourceware.org; s=key; t=1736494506; cv=none;
b=Oqgj6R6AsZ1bP7e7+DtqT8u44Z+XwMTpcUYcBcCHLl2cGGurRwMtPcplzDK3VAOm2tI2cJtVwl9SKJp+WxrjUaCUT2ig5GYm9sIADizzmGGAC/Isz1yi33Znxk9joI0I0D0vlYqTgvhjvDrl/w/67x4AMPsMu3SSKePxgbvFgMM=
ARC-Message-Signature: i=1; a=rsa-sha256; d=sourceware.org; s=key;
t=1736494506; c=relaxed/simple;
bh=RxJcz3pC9GOPMc21iLANI0SvRhMtMzbozAnTi3rQSpE=;
h=DKIM-Signature:Date:From:Message-ID:To:Subject:MIME-Version;
b=atmxzA3dJr6UJmGcFBgjRmVBbYd6Ey1HNQK3bIhTuSVHce9Q1WDqkjotkiDDVVuLSUs49Ac770OeF5QgkGYk0TcMbsK67L7zLLDBH6T6DAQOv73m8n8n9sdG+gOahwzFuBKJ5HPMcKJlpiAWqm/VPKB9EIoNMhGromp4Tt6Cpck=
ARC-Authentication-Results: i=1; server2.sourceware.org
DKIM-Filter: OpenDKIM Filter v2.11.0 sourceware.org C91843858D20
X-Yandex-Fwd: 1
Date: Fri, 10 Jan 2025 10:33:07 +0300
X-Mailer: The Bat! (v9.3.4) Professional
Message-ID: <176904400.20250110103307@yandex.ru>
To: Kaz Kylheku <kaz AT kylheku DOT com>, cygwin AT cygwin DOT com
Subject: Re: Cygwin main function: vulnerable to wchar_t to char conversion
attacks or not?
In-Reply-To: <2bc465c57c4826ff6eebbd566a92346e@kylheku.com>
References: <2bc465c57c4826ff6eebbd566a92346e AT kylheku DOT com>
MIME-Version: 1.0
X-BeenThere: cygwin AT cygwin DOT com
X-Mailman-Version: 2.1.30
List-Id: General Cygwin discussions and problem reports <cygwin.cygwin.com>
List-Unsubscribe: <https://cygwin.com/mailman/options/cygwin>,
<mailto:cygwin-request AT cygwin DOT com?subject=unsubscribe>
List-Archive: <https://cygwin.com/pipermail/cygwin/>
List-Post: <mailto:cygwin AT cygwin DOT com>
List-Help: <mailto:cygwin-request AT cygwin DOT com?subject=help>
List-Subscribe: <https://cygwin.com/mailman/listinfo/cygwin>,
<mailto:cygwin-request AT cygwin DOT com?subject=subscribe>
From: Andrey Repin via Cygwin <cygwin AT cygwin DOT com>
Reply-To: cygwin AT cygwin DOT com
Cc: Andrey Repin <anrdaemon AT yandex DOT ru>
Errors-To: cygwin-bounces~archive-cygwin=delorie DOT com AT cygwin DOT com
Sender: "Cygwin" <cygwin-bounces~archive-cygwin=delorie DOT com AT cygwin DOT com> 

Greetings, Kaz Kylheku!

> Hi all,

> I'm reading an article on attacks that are evidently possible against some Windows
> programs in the area of command line parsing. See below.

> Does the Cygwin run-time rely on GetCommandLineA to get the char-based command
> line that is parsed into argv[]?

You can answer this question yourself. The code is open.

> If so, it could be vulnerable to attacks which embed Unicode quotes into the
> command line, which GetCommandLineA normalizes to ASCII double quotes.

> A program which prepares a command line will assiduously escape any double
> quotes occurring in the arguments. But if fullwidth Unicode double quotes
> occur in the arguments, they will be passed through verbatim, and then
> turn into unescaped ASCII double quotes.

> Article:
> https://blog.orange.tw/posts/2025-01-worstfit-unveiling-hidden-transformers-in-windows-ansi/



-- 
With best regards,
Andrey Repin
Friday, January 10, 2025 10:32:40

Sorry for my terrible english...


-- 
Problem reports:      https://cygwin.com/problems.html
FAQ:                  https://cygwin.com/faq/
Documentation:        https://cygwin.com/docs.html
Unsubscribe info:     https://cygwin.com/ml/#unsubscribe-simple

- Raw text -


  webmaster     delorie software   privacy  
  Copyright © 2019   by DJ Delorie     Updated Jul 2019