DMARC-Filter: OpenDMARC Filter v1.4.2 delorie.com 51BLsD0B506977
Authentication-Results: delorie.com; dmarc=pass (p=none dis=none) header.from=cygwin.com
Authentication-Results: delorie.com; spf=pass smtp.mailfrom=cygwin.com
DKIM-Filter: OpenDKIM Filter v2.11.0 delorie.com 51BLsD0B506977
Authentication-Results: delorie.com;
	dkim=pass (1024-bit key, unprotected) header.d=cygwin.com header.i=@cygwin.com header.a=rsa-sha256 header.s=default header.b=g+fmYxe3
X-Recipient: archive-cygwin@delorie.com
DKIM-Filter: OpenDKIM Filter v2.11.0 sourceware.org 5DB613858406
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cygwin.com;
	s=default; t=1739310852;
	bh=gxWSRNFIVSOsbuJkShOtj6COWzBB549v0aaFh5PKrsM=;
	h=Date:Subject:To:References:In-Reply-To:List-Id:List-Unsubscribe:
	 List-Archive:List-Post:List-Help:List-Subscribe:From:Reply-To:Cc:
	 From;
	b=g+fmYxe3x9eqU4UCSpKkiJ25JqrWhcamZF6WRuCZDTgUogpEds77f+WdeiOebS6zT
	 7oFhkMBN/Ao3UbEk3oC/Ex1heiMnW2o5JwITfXK1rzF04dHW+kLxugXZZCi0C6i2jp
	 MiehVG9tLaULHJZdM3R7unhwwjpXn4qaN7y5YMUY=
X-Original-To: cygwin@cygwin.com
Delivered-To: cygwin@cygwin.com
DMARC-Filter: OpenDMARC Filter v1.4.2 sourceware.org 1406F3858D34
ARC-Filter: OpenARC Filter v1.0.0 sourceware.org 1406F3858D34
ARC-Seal: i=1; a=rsa-sha256; d=sourceware.org; s=key; t=1739310796; cv=none;
 b=B3A/JojZx/nSNQx0tKQWxU5a5NCKSTE5li/33JHd/qPmi1FgQ3gMctJs8bmyiQDf4v2qycfJTfLhKo1hSu5Q+3F5BE8cRtamgCRFlpAIKAqOwMUxe4GFinEibWqT3Tdxez9Znuun/IOoFRhszrJqADpM5n/G6kAB1EPc0w3UN9w=
ARC-Message-Signature: i=1; a=rsa-sha256; d=sourceware.org; s=key;
 t=1739310796; c=relaxed/simple;
 bh=n2E1jml5z5lNO5Z37t/jHey5/gArtLVOPXX0BpAjdk8=;
 h=Message-ID:Date:MIME-Version:From:Subject:To:DKIM-Signature;
 b=Di6/7J5XgWw+Xp4LFrS3utke3/ioDROguzM+MWUrY7gRUyHZPa5fz4QI7sK7iRCf1HP5g0RYrTP7VYVcm7e9AwZxlorRkXrkkx3ZbqTTNpasI0zj/Vlyc+B/WdTB6+WDtGokBgY1TL0AxA49JgBmSxM7gS1+hmAzpz29w8fqKwQ=
ARC-Authentication-Results: i=1; server2.sourceware.org
DKIM-Filter: OpenDKIM Filter v2.11.0 sourceware.org 1406F3858D34
Message-ID: <9cd08a3d-f196-4adc-8b81-6dc3abb14718@systematicsw.ab.ca>
Date: Tue, 11 Feb 2025 14:53:12 -0700
MIME-Version: 1.0
User-Agent: Mozilla Thunderbird
Subject: Re: Potential Argument Injection Issue in Cygwin's Command Line
 Handling
Content-Language: en-CA
To: cygwin@cygwin.com
References: <CAM2z_YX8cbwea+he+83924SpZAdofp-srLk3Mzof2U4viXgctQ@mail.gmail.com>
 <CAM2z_YVYuoq28ZzmZn1RTWdRYLNpGMgjBzRQnKdZ0bb4yTmv=w@mail.gmail.com>
 <Z6ME2gh4Mu4Xz3pY@xps13>
 <CAM2z_YUpN4RFCxxA9cLK=qU-vNqHNP7BTL0iFCM_eRg6Me3JrQ@mail.gmail.com>
 <8ac24b73-54e9-470b-9fa8-6da07f3e2d42@SystematicSW.ab.ca>
 <69f47b2daf1a6a46b0200c31669e1aee@kylheku.com>
Autocrypt: addr=Brian.Inglis@systematicsw.ab.ca; keydata=
 xjMEXopx8xYJKwYBBAHaRw8BAQdAnCK0qv/xwUCCZQoA9BHRYpstERrspfT0NkUWQVuoePbN
 LkJyaWFuIEluZ2xpcyA8QnJpYW4uSW5nbGlzQFN5c3RlbWF0aWNTdy5hYi5jYT7ClgQTFggA
 PhYhBMM5/lbU970GBS2bZB62lxu92I8YBQJeinHzAhsDBQkJZgGABQsJCAcCBhUKCQgLAgQW
 AgMBAh4BAheAAAoJEB62lxu92I8Y0ioBAI8xrggNxziAVmr+Xm6nnyjoujMqWcq3oEhlYGAO
 WacZAQDFtdDx2koSVSoOmfaOyRTbIWSf9/Cjai29060fsmdsDM44BF6KcfMSCisGAQQBl1UB
 BQEBB0Awv8kHI2PaEgViDqzbnoe8B9KMHoBZLS92HdC7ZPh8HQMBCAfCfgQYFggAJhYhBMM5
 /lbU970GBS2bZB62lxu92I8YBQJeinHzAhsMBQkJZgGAAAoJEB62lxu92I8YZwUBAJw/74rF
 IyaSsGI7ewCdCy88Lce/kdwX7zGwid+f8NZ3AQC/ezTFFi5obXnyMxZJN464nPXiggtT9gN5
 RSyTY8X+AQ==
Organization: Systematic Software
In-Reply-To: <69f47b2daf1a6a46b0200c31669e1aee@kylheku.com>
X-Stat-Signature: xmzk4fbepz11gemx5j9o15frwqu7beut
X-Rspamd-Server: rspamout02
X-Rspamd-Queue-Id: D70F480012
X-Session-Marker: 427269616E2E496E676C69734053797374656D6174696353572E61622E6361
X-Session-ID: U2FsdGVkX1+yVKknzynn03LNLzkVEFD3ikkUbjWIXcw=
X-HE-Tag: 1739310793-409786
X-HE-Meta: U2FsdGVkX18IELwlJC17xxclsT0ahUJZZyLPRmkvF7qEFAh1GL/ZJAwelo5gAtGqvcomn5EgCToJzxCTSMHMMaIVIM4+D7eQJzyt1SxUyCjEhsT41rHJ8I2ZFX39KwMDV3TXSb4uzT7ajX0Z82Do7PL08CBpTJLK4FmJE3aSh/eKxV+IP56kfGaod0tS+Vo5yIRaB+AwSyAiGeqxcNx8Z+o5canErLgvJhYvsA2X78T8wo8RiUKCR1OvU2VQYl22XG84+TvcpKhgVSfq9RFJ0udtxROGNPhj6sowTOzceTV5ORqTuyhCOCrizF8SdExuwZ5CX1CthiTs8lpUm2GEAv/PgD/DSCl5
X-BeenThere: cygwin@cygwin.com
X-Mailman-Version: 2.1.30
Precedence: list
List-Id: General Cygwin discussions and problem reports <cygwin.cygwin.com>
List-Unsubscribe: <https://cygwin.com/mailman/options/cygwin>,
 <mailto:cygwin-request@cygwin.com?subject=unsubscribe>
List-Archive: <https://cygwin.com/pipermail/cygwin/>
List-Post: <mailto:cygwin@cygwin.com>
List-Help: <mailto:cygwin-request@cygwin.com?subject=help>
List-Subscribe: <https://cygwin.com/mailman/listinfo/cygwin>,
 <mailto:cygwin-request@cygwin.com?subject=subscribe>
From: Brian Inglis via Cygwin <cygwin@cygwin.com>
Reply-To: cygwin@cygwin.com
Cc: Brian Inglis <Brian.Inglis@systematicsw.ab.ca>,
        Kaz Kylheku <kaz@kylheku.com>
Content-Type: text/plain; charset="utf-8"; Format="flowed"
Errors-To: cygwin-bounces~archive-cygwin=delorie.com@cygwin.com
Sender: "Cygwin" <cygwin-bounces~archive-cygwin=delorie.com@cygwin.com>
Content-Transfer-Encoding: 8bit
X-MIME-Autoconverted: from base64 to 8bit by delorie.com id 51BLsD0B506977

On 2025-02-10 19:09, Kaz Kylheku wrote:
> On 2025-02-10 12:32, Brian Inglis via Cygwin wrote:
>> One can avoid any issues by running Cygwin programs only from other Cygwin programs, and Windows programs only from other Windows programs.
> 
> Microsoft has provided a documented algorithm, which is implemented in the ShellAPI function CommandLineToArgvW, and in the CRT module that prepares arguments for the main or wmain functions of Microsoft Visual C/C++ programs.
> 
> I believe that the algorithm is sound in that it can round-trip any argv[] vector to string, and then back to recover an identical argv[].
> 
> (Am I correct?)

It appears not from the previous comments, the MS algorithm/hackaround messes up 
various argument strings and makes the original contents irretrievable, if they 
do not obey their limitations, rather than just pass along the verbatim command 
line as a string, as assumed by POSIX programs, normally preceding the 
environment in the heap, like an anonymous environment variable.

I prefer that Cygwin programs work like all other POSIX programs, as I maintain 
a few dozen packages, and build a bunch of others I use that, for the most part, 
port and run with no or only very minor patching, to work around Windows issues.

If every package had to work around the Windows issues that Cygwin handles for 
us, we would not have many packages available, and be unable to support the 
POSIX and Unix subsystems we do, that transparently interoperate with other Unix 
compatible systems Cygwin users can access around the globe.

If you want to handle Windows command lines the MS way, feel free to use Windows 
compilers and APIs, including AOCC, ICC, VC89, mingw64-x86_64-binutils/gcc, etc.

-- 
Take care. Thanks, Brian Inglis              Calgary, Alberta, Canada

La perfection est atteinte                   Perfection is achieved
non pas lorsqu'il n'y a plus rien à ajouter  not when there is no more to add
mais lorsqu'il n'y a plus rien à retrancher  but when there is no more to cut
                                 -- Antoine de Saint-Exupéry

-- 
Problem reports:      https://cygwin.com/problems.html
FAQ:                  https://cygwin.com/faq/
Documentation:        https://cygwin.com/docs.html
Unsubscribe info:     https://cygwin.com/ml/#unsubscribe-simple