DMARC-Filter:	OpenDMARC Filter v1.4.2 delorie.com 51A3nO6P4014416
Authentication-Results:	delorie.com; dmarc=pass (p=none dis=none) header.from=cygwin.com
Authentication-Results:	delorie.com; spf=pass smtp.mailfrom=cygwin.com
DKIM-Filter:	OpenDKIM Filter v2.11.0 delorie.com 51A3nO6P4014416
Authentication-Results:	delorie.com;
	dkim=pass (1024-bit key, unprotected) header.d=cygwin.com header.i=@cygwin.com header.a=rsa-sha256 header.s=default header.b=l66dgHan
X-Recipient:	archive-cygwin AT delorie DOT com
DKIM-Filter:	OpenDKIM Filter v2.11.0 sourceware.org 07E8D3857C5D
DKIM-Signature:	v=1; a=rsa-sha256; c=relaxed/relaxed; d=cygwin.com;
	s=default; t=1739159363;
	bh=e/0crjL+TzyholxHCZ/MK+S2rq4RsF4PY3xoKsI75xA=;
	h=References:In-Reply-To:Date:Subject:To:Cc:List-Id:
	List-Unsubscribe:List-Archive:List-Post:List-Help:List-Subscribe:
	From:Reply-To:From;
	b=l66dgHan29Poe0mmNDMKvBMdf3cmR5ywVYaXOXasXZyUQs+NDz2yg2NjWWeEpBYzJ
	4gFczK8zKIYhh1r8ht8MzZQGQBM70Jbd2MUUSnreS/fquTGvRpf+cB919kwmP2g7KA
	6FCTCICFSmcq8/jog2bMJGrRhuJw9FCNpD0ZsgR8=
X-Original-To:	cygwin AT cygwin DOT com
Delivered-To:	cygwin AT cygwin DOT com
DMARC-Filter:	OpenDMARC Filter v1.4.2 sourceware.org EA8A83858C35
ARC-Filter:	OpenARC Filter v1.0.0 sourceware.org EA8A83858C35
ARC-Seal:	i=1; a=rsa-sha256; d=sourceware.org; s=key; t=1739159301; cv=none;
	b=AMTj9bAuVv3x2I/cPglG/LI0HAMLl/mqieWNjmrcTo0YAvVfYBZl+rCnOZr+WjSoeCd0fhrIxxMNVfJDRmx990XRCQensenbIJTpz8VN0wemHrulcBkVmZ+Hw8m+WpcUempxfoZ+Q3u8BQKh8ao5iSo5wofJ26F2Euiz2JIrLiE=
ARC-Message-Signature:	i=1; a=rsa-sha256; d=sourceware.org; s=key;
	t=1739159301; c=relaxed/simple;
	bh=UKq9OFB7pA2R9/+ASBLdgOWXSk1d0TSvqDQbvP9lPrE=;
	h=DKIM-Signature:MIME-Version:From:Date:Message-ID:Subject:To;
	b=b1xGAIJ8AqHxa7kzu1L8x3zRPu/j+z85H+J23QzhzpHUuEudqcRKI1GIuQS+nNi39yEaIjJ6Y0qmcABXNx6eUsuT1KptXNBH/T3+s7jnm9i1zqz9c1dg1iNWQvN95k3cPYG+SLHALrB5b9kv9W6JTgFoY6O+Pqrl8Ix50fxSew4=
ARC-Authentication-Results:	i=1; server2.sourceware.org
DKIM-Filter:	OpenDKIM Filter v2.11.0 sourceware.org EA8A83858C35
X-Google-DKIM-Signature:	v=1; a=rsa-sha256; c=relaxed/relaxed;
	d=1e100.net; s=20230601; t=1739159300; x=1739764100;
	h=content-transfer-encoding:cc:to:subject:message-id:date:from
	:in-reply-to:references:mime-version:x-gm-message-state:from:to:cc
	:subject:date:message-id:reply-to;
	bh=yPRboDe6t1kZfVug8STShLtXkLfDotdmwW+et3UIyxw=;
	b=ekTc7UVhMkQbCAVKprouQhi0j95zCYsnmDt/S7iys9/7EMl6W5I8hNowxpxo4kZvjg
	7VBcZkCMOvWHD8bLopbQG7LlGaSAXlBK0E2as9Ci1XvAo/sgxcOnJH43FmO6ldt/VsR9
	8dRE+JQdZ268LS9HbapJRw0zjgsdCQLkBluZ9ORg1Y66UyYKcyeGm4CjDCECVigj+PxW
	49ugES58K8tWoR28wTcM14uz8oA31181EXcYGvfgymAZNnnjxy3Fr+el0FeIhbIMPeuZ
	zxzW/LavCllmpvKG0b602Jkrms78Dh6LteiRixLSSZlBp/yfBVBGThf7mQF+TvpTl53Y
	otnA==
X-Gm-Message-State:	AOJu0Yy82tNGM9GbKzxTeUBdo2hPFk6VNjJqyWsLA0dCRoi8IFXjhi36
	JQIZGgAKd1W5xsUUpdPnB0wySbeSygRAoXLp8oqQomD/DU3crj/5R/YMQC724VL75vdCJZnUpmp
	vfdRDwVGUyeYvOBjidQuqdybo1ZJGbwuVGPgfsBftBicaMpECGk4=
X-Gm-Gg:	ASbGncv42PL6HE/fxWQvXI90t7V6A1UZGTfXfp901PNrz9klHDs9UW5xjqgQ1p2gAHJ
	CPAZNoRsDFvgoOY2/+PuCTINIcLE/qmtkbY6f4mkDUtovdhcVrfgHQg7/Q07xssDsV2sXYw==
X-Google-Smtp-Source:	AGHT+IHJuV0vq9jKip1c29AwSJuqI5RGIv+5HnpJ2mXSpnxcCPMLiGw4veyHtMJfWwu3WuvW/Fn2P8bdO62QzUIwyiY=
X-Received:	by 2002:a05:6871:3145:b0:2b7:7abf:df6b with SMTP id
	586e51a60fabf-2b83edf2696mr8685237fac.26.1739159300162; Sun, 09 Feb 2025
	19:48:20 -0800 (PST)
MIME-Version:	1.0
References:	<CAM2z_YX8cbwea+he+83924SpZAdofp-srLk3Mzof2U4viXgctQ AT mail DOT gmail DOT com>
	<CAM2z_YVYuoq28ZzmZn1RTWdRYLNpGMgjBzRQnKdZ0bb4yTmv=w AT mail DOT gmail DOT com>
	<Z6ME2gh4Mu4Xz3pY AT xps13>
In-Reply-To:	<Z6ME2gh4Mu4Xz3pY@xps13>
Date:	Mon, 10 Feb 2025 11:48:09 +0800
X-Gm-Features:	AWEUYZlAwxkQmXCd6Uvs3w0T_Xh6vU0sDqXqfpJfUkUaXR3ajzVwCnqQLB0Xsr8
Message-ID:	<CAM2z_YUpN4RFCxxA9cLK=qU-vNqHNP7BTL0iFCM_eRg6Me3JrQ@mail.gmail.com>
Subject:	Re: Potential Argument Injection Issue in Cygwin's Command Line
	Handling
To:	Glenn Strauss <gs-cygwin DOT com AT gluelogic DOT com>
Cc:	cygwin AT cygwin DOT com
X-BeenThere:	cygwin AT cygwin DOT com
X-Mailman-Version:	2.1.30
List-Id:	General Cygwin discussions and problem reports <cygwin.cygwin.com>
List-Archive:	<https://cygwin.com/pipermail/cygwin/>
List-Post:	<mailto:cygwin AT cygwin DOT com>
List-Help:	<mailto:cygwin-request AT cygwin DOT com?subject=help>
List-Subscribe:	<https://cygwin.com/mailman/listinfo/cygwin>,
	<mailto:cygwin-request AT cygwin DOT com?subject=subscribe>
From:	Splitline Ng via Cygwin <cygwin AT cygwin DOT com>
Reply-To:	Splitline Ng <splitline AT devco DOT re>
Sender:	"Cygwin" <cygwin-bounces~archive-cygwin=delorie DOT com AT cygwin DOT com>
X-MIME-Autoconverted:	from base64 to 8bit by delorie.com id 51A3nO6P4014416

> Windows is security deficient in this area, not Cygwin.
>
> I'll quote myself to share my opinion:
> https://git.lighttpd.net/lighttpd/lighttpd1.4/src/branch/master/src/fdevent_win32.c#L543
>      * The Microsoft CreateProcess() interface is criminally broken.
>      * Forcing argument strings to be concatenated into a single string
>      * only to be re-parsed by Windows can lead to security issues.
>      *
>      * Above comment from 2021 was true then as now in 2025
>      * https://blog.orange.tw/posts/2025-01-worstfit-unveiling-hidden-transformers-in-windows-ansi/

Yes, I agree with you, this design has always been really problematic,
that was totally a bad idea. But at this point, it's probably a huge
design debt, and I imagine it’s not an easy fix for Microsoft.

Back to this issue, the argument parsing logic is indeed handled by
Cygwin itself, not Windows. So regardless of the question of who
should be held responsible for this, I think it’s still reasonable to
follow the convention. At the very least, it might be a minor
inconvenience for some regular users.

P.S. I did the research on the argument-splitting part of the blog
post you quoted. That's why I noticed this issue, and I was also quite
surprised by this bad design in Windows.

Regards,
splitline

-- 
Problem reports:      https://cygwin.com/problems.html
FAQ:                  https://cygwin.com/faq/
Documentation:        https://cygwin.com/docs.html
Unsubscribe info:     https://cygwin.com/ml/#unsubscribe-simple

- Raw text -