DMARC-Filter: OpenDMARC Filter v1.4.2 delorie.com 50A7ZWC71427838 Authentication-Results: delorie.com; dmarc=pass (p=none dis=none) header.from=cygwin.com Authentication-Results: delorie.com; spf=pass smtp.mailfrom=cygwin.com DKIM-Filter: OpenDKIM Filter v2.11.0 delorie.com 50A7ZWC71427838 Authentication-Results: delorie.com; dkim=pass (1024-bit key, unprotected) header.d=cygwin.com header.i=@cygwin.com header.a=rsa-sha256 header.s=default header.b=blL87dC4 X-Recipient: archive-cygwin@delorie.com DKIM-Filter: OpenDKIM Filter v2.11.0 sourceware.org D8C413858C3A DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cygwin.com; s=default; t=1736494531; bh=Uvr/9RAUtsGmxHLdR1NS1I7R6hQMyfoLZYeJaMMP7g8=; h=Date:To:Subject:In-Reply-To:References:List-Id:List-Unsubscribe: List-Archive:List-Post:List-Help:List-Subscribe:From:Reply-To:Cc: From; b=blL87dC4g41XHwq7HXMzU8uqxM44F58nuwzy/OgD84ZI/yWvDhRr7Nhu1u8tdLVcc fNRxbVOFkEC77PrsxXSnOXIs4OlC4tEWBSIWxOVNE6EBsuu0Z1I0HBqazNaWhav88w VBXPS+/WrJLzYBGqsSF+br1/EJ0DTSGbyTfiwAhE= X-Original-To: cygwin@cygwin.com Delivered-To: cygwin@cygwin.com DMARC-Filter: OpenDMARC Filter v1.4.2 sourceware.org C91843858D20 ARC-Filter: OpenARC Filter v1.0.0 sourceware.org C91843858D20 ARC-Seal: i=1; a=rsa-sha256; d=sourceware.org; s=key; t=1736494506; cv=none; b=Oqgj6R6AsZ1bP7e7+DtqT8u44Z+XwMTpcUYcBcCHLl2cGGurRwMtPcplzDK3VAOm2tI2cJtVwl9SKJp+WxrjUaCUT2ig5GYm9sIADizzmGGAC/Isz1yi33Znxk9joI0I0D0vlYqTgvhjvDrl/w/67x4AMPsMu3SSKePxgbvFgMM= ARC-Message-Signature: i=1; a=rsa-sha256; d=sourceware.org; s=key; t=1736494506; c=relaxed/simple; bh=RxJcz3pC9GOPMc21iLANI0SvRhMtMzbozAnTi3rQSpE=; h=DKIM-Signature:Date:From:Message-ID:To:Subject:MIME-Version; b=atmxzA3dJr6UJmGcFBgjRmVBbYd6Ey1HNQK3bIhTuSVHce9Q1WDqkjotkiDDVVuLSUs49Ac770OeF5QgkGYk0TcMbsK67L7zLLDBH6T6DAQOv73m8n8n9sdG+gOahwzFuBKJ5HPMcKJlpiAWqm/VPKB9EIoNMhGromp4Tt6Cpck= ARC-Authentication-Results: i=1; server2.sourceware.org DKIM-Filter: OpenDKIM Filter v2.11.0 sourceware.org C91843858D20 X-Yandex-Fwd: 1 Date: Fri, 10 Jan 2025 10:33:07 +0300 X-Mailer: The Bat! (v9.3.4) Professional Message-ID: <176904400.20250110103307@yandex.ru> To: Kaz Kylheku , cygwin@cygwin.com Subject: Re: Cygwin main function: vulnerable to wchar_t to char conversion attacks or not? In-Reply-To: <2bc465c57c4826ff6eebbd566a92346e@kylheku.com> References: <2bc465c57c4826ff6eebbd566a92346e@kylheku.com> MIME-Version: 1.0 X-BeenThere: cygwin@cygwin.com X-Mailman-Version: 2.1.30 Precedence: list List-Id: General Cygwin discussions and problem reports List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , From: Andrey Repin via Cygwin Reply-To: cygwin@cygwin.com Cc: Andrey Repin Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Errors-To: cygwin-bounces~archive-cygwin=delorie.com@cygwin.com Sender: "Cygwin" Greetings, Kaz Kylheku! > Hi all, > I'm reading an article on attacks that are evidently possible against some Windows > programs in the area of command line parsing. See below. > Does the Cygwin run-time rely on GetCommandLineA to get the char-based command > line that is parsed into argv[]? You can answer this question yourself. The code is open. > If so, it could be vulnerable to attacks which embed Unicode quotes into the > command line, which GetCommandLineA normalizes to ASCII double quotes. > A program which prepares a command line will assiduously escape any double > quotes occurring in the arguments. But if fullwidth Unicode double quotes > occur in the arguments, they will be passed through verbatim, and then > turn into unescaped ASCII double quotes. > Article: > https://blog.orange.tw/posts/2025-01-worstfit-unveiling-hidden-transformers-in-windows-ansi/ -- With best regards, Andrey Repin Friday, January 10, 2025 10:32:40 Sorry for my terrible english... -- Problem reports: https://cygwin.com/problems.html FAQ: https://cygwin.com/faq/ Documentation: https://cygwin.com/docs.html Unsubscribe info: https://cygwin.com/ml/#unsubscribe-simple