DMARC-Filter: OpenDMARC Filter v1.4.2 delorie.com 50A7Ucdk1426493 Authentication-Results: delorie.com; dmarc=pass (p=none dis=none) header.from=cygwin.com Authentication-Results: delorie.com; spf=pass smtp.mailfrom=cygwin.com DKIM-Filter: OpenDKIM Filter v2.11.0 delorie.com 50A7Ucdk1426493 Authentication-Results: delorie.com; dkim=pass (1024-bit key, unprotected) header.d=cygwin.com header.i=@cygwin.com header.a=rsa-sha256 header.s=default header.b=ja6/3t5U X-Recipient: archive-cygwin@delorie.com DKIM-Filter: OpenDKIM Filter v2.11.0 sourceware.org 711763858D20 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cygwin.com; s=default; t=1736494236; bh=ivmogIvdvxQbNkZpqrxSUIE4VNXxbJwsfh3kdYD+Rcc=; h=Date:To:Subject:List-Id:List-Unsubscribe:List-Archive:List-Post: List-Help:List-Subscribe:From:Reply-To:From; b=ja6/3t5UYxcPBLBDx8UcZy6ls3/u0/yZS05k83gjBG0ejtNL9UUIzcveMX9fHqmPr QyEh/B4xE1BMCxNXMEJ4E2B19RlTD6jQFlqDEGm0zgX0dE0p09bG6AWKSnhRB99vBT pC/6kA1kxudJkvKUq0j76u/qAiYVFBIMEoE/eUes= X-Original-To: cygwin@cygwin.com Delivered-To: cygwin@cygwin.com DMARC-Filter: OpenDMARC Filter v1.4.2 sourceware.org E5983385843B ARC-Filter: OpenARC Filter v1.0.0 sourceware.org E5983385843B ARC-Seal: i=1; a=rsa-sha256; d=sourceware.org; s=key; t=1736494205; cv=none; b=tbKEBeoiFCReOzGJCcywSizzV3HU/MfVdPQbimZo+fT48G50RA3srtN4tLih/yQSWF2MunEmCeaE2Fso0U41lzJv1zwlr6xapehtN2FpWQtINjLkmIspGn8lMz50WswoVfyX1nX6O2fxPwyWMSZwGz/OuxIk12qK8Zr5xSXxIqo= ARC-Message-Signature: i=1; a=rsa-sha256; d=sourceware.org; s=key; t=1736494205; c=relaxed/simple; bh=2xuIjOq0shFtKuRRHmN7QLfT9At32pvLah994fj68T8=; h=MIME-Version:Date:From:To:Subject:Message-ID; b=HJDYAjdjOEAlTSHXvKZRfuinhGezrz5UTfMY1e1L3Oq9zynf7wJnNwEXu2JWl8Q2X/FmV+H6jcGMqmw+bBL1QMlwIw7X15L+2mctsxhsboZ9dvszYPr6F1dMtrrYI6RTX8Lsvvyb84/l2eOCNasrhn8wg8zpr/meBFBfpucUh28= ARC-Authentication-Results: i=1; server2.sourceware.org DKIM-Filter: OpenDKIM Filter v2.11.0 sourceware.org E5983385843B MIME-Version: 1.0 Date: Thu, 09 Jan 2025 23:29:21 -0800 To: cygwin@cygwin.com Subject: Cygwin main function: vulnerable to wchar_t to char conversion attacks or not? User-Agent: Roundcube Webmail/1.4.15 Message-ID: <2bc465c57c4826ff6eebbd566a92346e@kylheku.com> X-Sender: kaz@kylheku.com X-MagicMail-OS: Unknown X-MagicMail-UUID: b4bb71d4-cf24-11ef-a49f-00505695d298 X-MagicMail-Authenticated: fuck.telus@novus.ca X-MagicMail-SourceIP: 104.37.63.7 X-MagicMail-RegexMatch: 1 X-MagicMail-EnvelopeFrom: X-BeenThere: cygwin@cygwin.com X-Mailman-Version: 2.1.30 List-Id: General Cygwin discussions and problem reports List-Archive: List-Post: List-Help: List-Subscribe: , From: Kaz Kylheku via Cygwin Reply-To: Kaz Kylheku Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Sender: "Cygwin" Hi all, I'm reading an article on attacks that are evidently possible against some Windows programs in the area of command line parsing. See below. Does the Cygwin run-time rely on GetCommandLineA to get the char-based command line that is parsed into argv[]? If so, it could be vulnerable to attacks which embed Unicode quotes into the command line, which GetCommandLineA normalizes to ASCII double quotes. A program which prepares a command line will assiduously escape any double quotes occurring in the arguments. But if fullwidth Unicode double quotes occur in the arguments, they will be passed through verbatim, and then turn into unescaped ASCII double quotes. Article: https://blog.orange.tw/posts/2025-01-worstfit-unveiling-hidden-transformers-in-windows-ansi/ -- Problem reports: https://cygwin.com/problems.html FAQ: https://cygwin.com/faq/ Documentation: https://cygwin.com/docs.html Unsubscribe info: https://cygwin.com/ml/#unsubscribe-simple