X-Recipient: archive-cygwin AT delorie DOT com
X-SWARE-Spam-Status: No, hits=-2.3 required=5.0 	tests=AWL,BAYES_00,HK_OBFDOM
X-Spam-Check-By: sourceware.org
Message-ID: <435451.56628.qm@web88306.mail.re4.yahoo.com>
X-RocketYMMF: ilatypov
Date: Mon, 15 Mar 2010 12:32:37 -0700 (PDT)
From: Ilguiz Latypov <ilatypov AT infradead DOT org>
Subject: Re: allow executing a path in backslash notation
To: cygwin AT cygwin DOT com
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="0-665985279-1268681558=:56628"
Mailing-List: contact cygwin-help AT cygwin DOT com; run by ezmlm
List-Id: <cygwin.cygwin.com>
List-Subscribe: <mailto:cygwin-subscribe AT cygwin DOT com>
List-Archive: <http://sourceware.org/ml/cygwin/>
List-Post: <mailto:cygwin AT cygwin DOT com>
List-Help: <mailto:cygwin-help AT cygwin DOT com>, <http://sourceware.org/ml/#faqs>
Sender: cygwin-owner AT cygwin DOT com
Mail-Followup-To: cygwin AT cygwin DOT com
Delivered-To: mailing list cygwin AT cygwin DOT com

--0-665985279-1268681558=:56628
Content-Type: text/plain; charset=us-ascii


> This has been changed deliberately, otherwise
> the execp functions have a potential security problem.  If you omit the
> NNF flag, the function returns the original path unchanged, instead of
> NULL.

I see that my conjecture about the root cause of the observed inconsistency was incorrect.  But my conjecture was only secondary to the patch.  The conjecture was about spawnvpe() succeeding where execvp() failed.  Your answer means that spawnvpe() should also call find_exec() with the extra 2 parameters, "PATH=" and FE_NNF.

Is my primary concern still valid?  I.e., should execvp..()/spawnvp..() succeed in executing backslash notation of relative and absolute paths?  If these inputs should be allowed, did my patch address the issue correctly?

I agree that a basename-only path should not resolve against current directory according to the execvp..() specs.  I believe the relative and absolute paths are allowed to resolve.

-- 
--0-665985279-1268681558=:56628
Content-Type: text/plain; name="cygwin-dos-compatibility.txt"
Content-Transfer-Encoding: base64
Content-Disposition: attachment; filename="cygwin-dos-compatibility.txt"

SW5kZXg6IHNwYXduLmNjDQo9PT09PT09PT09PT09PT09PT09PT09PT09PT09
PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09DQpSQ1Mg
ZmlsZTogL2N2cy9zcmMvc3JjL3dpbnN1cC9jeWd3aW4vc3Bhd24uY2Msdg0K
cmV0cmlldmluZyByZXZpc2lvbiAxLjI4OA0KZGlmZiAtdSAtcjEuMjg4IHNw
YXduLmNjDQotLS0gc3Bhd24uY2MJMjUgSmFuIDIwMTAgMTE6MjE6NTYgLTAw
MDAJMS4yODgNCisrKyBzcGF3bi5jYwk5IE1hciAyMDEwIDAwOjIwOjU0IC0w
MDAwDQpAQCAtMTEyLDE1ICsxMTIsMTYgQEANCiAgIGNoYXIgKnRtcCA9IHRw
LmNfZ2V0ICgpOw0KICAgY29uc3QgY2hhciAqcG9zaXggPSAob3B0ICYgRkVf
TkFUSVZFKSA/IE5VTEwgOiBuYW1lOw0KICAgYm9vbCBoYXNfc2xhc2ggPSBz
dHJjaHIgKG5hbWUsICcvJyk7DQorICBib29sIGhhc19iYWNrc2xhc2ggPSBz
dHJjaHIgKG5hbWUsICdcXCcpOw0KICAgaW50IGVycjsNCiANCiAgIC8qIENo
ZWNrIHRvIHNlZSBpZiBmaWxlIGNhbiBiZSBvcGVuZWQgYXMgaXMgZmlyc3Qu
DQogICAgICBXaW4zMiBzeXN0ZW1zIGFsd2F5cyBjaGVjayAuIGZpcnN0LCBi
dXQgUEFUSCBtYXkgbm90IGJlIHNldCB1cCB0bw0KICAgICAgZG8gdGhpcy4g
Ki8NCi0gIGlmICgoaGFzX3NsYXNoIHx8IG9wdCAmIEZFX0NXRCkNCisgIGlm
ICgoaGFzX3NsYXNoIHx8IGhhc19iYWNrc2xhc2ggfHwgb3B0ICYgRkVfQ1dE
KQ0KICAgICAgICYmIChzdWZmaXggPSBwZXJoYXBzX3N1ZmZpeCAobmFtZSwg
YnVmLCBlcnIsIG9wdCkpICE9IE5VTEwpDQogICAgIHsNCi0gICAgICBpZiAo
cG9zaXggJiYgIWhhc19zbGFzaCkNCisgICAgICBpZiAocG9zaXggJiYgIWhh
c19zbGFzaCAmJiAhaGFzX2JhY2tzbGFzaCkNCiAJew0KIAkgIHRtcFswXSA9
ICcuJzsNCiAJICB0bXBbMV0gPSAnLyc7DQpAQCAtMTQ3LDcgKzE0OCw3IEBA
DQogICAgICAgcGF0aCA9IHM7DQogICAgICAgcG9zaXhfcGF0aCA9IG15d2lu
ZW52IC0gMTsNCiAgICAgfQ0KLSAgZWxzZSBpZiAoaGFzX3NsYXNoIHx8IHN0
cmNociAobmFtZSwgJ1xcJykgfHwgaXNkcml2ZSAobmFtZSkNCisgIGVsc2Ug
aWYgKGhhc19zbGFzaCB8fCBoYXNfYmFja3NsYXNoIHx8IGlzZHJpdmUgKG5h
bWUpDQogICAgICAgfHwgISh3aW5wYXRoID0gZ2V0d2luZW52IChteXdpbmVu
dikpDQogICAgICAgfHwgIShwYXRoID0gd2lucGF0aC0+Z2V0X25hdGl2ZSAo
KSkgfHwgKnBhdGggPT0gJ1wwJykNCiAgICAgLyogUmV0dXJuIHRoZSBlcnJv
ciBjb25kaXRpb24gaWYgdGhpcyBpcyBhbiBhYnNvbHV0ZSBwYXRoIG9yIGlm
IHRoZXJlDQo=

--0-665985279-1268681558=:56628
Content-Type: text/plain; name="exec.c"
Content-Transfer-Encoding: base64
Content-Disposition: attachment; filename="exec.c"

CiNpbmNsdWRlIDxwcm9jZXNzLmg+ICAgIC8vIGZvciBzcGF3bnZwZSgpIChu
b3Qgc3BlY2lmaWVkIGJ5IFRoZSBPcGVuIEdyb3VwKQojaW5jbHVkZSA8dW5p
c3RkLmg+ICAgICAvLyBmb3IgZXhlY3ZwKCkKI2luY2x1ZGUgPHN0ZGlvLmg+
ICAgICAgLy8gZm9yIHByaW50ZigpCiNpbmNsdWRlIDxlcnJuby5oPiAgICAg
IC8vIGZvciBlcnJubwojaW5jbHVkZSA8c3RyaW5nLmg+ICAgICAvLyBmb3Ig
c3RyZHVwKCksIHN0cmVycm9yKCkKI2luY2x1ZGUgPHN0ZGxpYi5oPiAgICAg
Ly8gZm9yIGdldGVudigpCgppbnQKbWFpbiAoaW50IGFyZ2MsIGNvbnN0IGNo
YXIgKmFyZ3ZbXSkKewogICAgY29uc3QgY2hhciBjb25zdCAqYXJnc1szXTsK
ICAgIGNoYXIgKm11dGFibGVfYXJnc1szXTsKICAgIC8vIFNlZSBodHRwOi8v
Yy1mYXEuY29tL2Fuc2kvY29uc3RtaXNtYXRjaC5odG1sIGV4cGxhaW5pbmcg
dGhhdCBhIHByb21pc2UKICAgIC8vIG9mIGNvbnN0bmVzcyBvZiB2YWx1ZXMg
cG9pbnRlZCB0byBieSBwb2ludGVyIGVsZW1lbnRzIHJlcXVpcmVzIGNvbnN0
bmVzcwogICAgLy8gb2YgcG9pbnRlcnMgYXMgd2VsbC4gIEluIG90aGVyIHdv
cmRzLCBhIGNvbnN0IGNoYXIqKiBwYXJhbWV0ZXIgY2Fubm90CiAgICAvLyBh
Y2NlcHQgYSBjaGFyICoqIGFyZ3VtZW50LgogICAgY29uc3QgY2hhciAqZW52
cFsyXTsKICAgIGNvbnN0IGNoYXIgKnBhdGh2YWx1ZSA9IE5VTEw7CiAgICBj
aGFyICpwYXRoZW52ID0gTlVMTDsKICAgIGludCBlYzsKCiAgICBpZiAoIGFy
Z2MgPCAyICkgewogICAgICAgIHJldHVybiAyOwogICAgfQogCiAgICBhcmdz
WyAwIF0gPSBhcmd2WzFdOwogICAgYXJnc1sgMSBdID0gImFiYyI7CiAgICBh
cmdzWyAyIF0gPSBOVUxMOwoKICAgIG11dGFibGVfYXJnc1sgMCBdID0gc3Ry
ZHVwKCBhcmdzWyAwIF0gKTsKICAgIG11dGFibGVfYXJnc1sgMSBdID0gc3Ry
ZHVwKCBhcmdzWyAxIF0gKTsKICAgIG11dGFibGVfYXJnc1sgMiBdID0gTlVM
TDsKCiAgICBwYXRodmFsdWUgPSBnZXRlbnYoICJQQVRIIiApOwogICAgaWYg
KHBhdGh2YWx1ZSkgewogICAgICAgIGludCBwYXRobGVuID0gc3RybGVuKCBw
YXRodmFsdWUgKTsKICAgICAgICBwYXRoZW52ID0gbWFsbG9jKCA1ICsgcGF0
aGxlbiArIDEgKTsKICAgICAgICBpZiAoIHBhdGhlbnYgKSB7CiAgICAgICAg
ICAgIG1lbWNweSggcGF0aGVudiwgIlBBVEg9IiwgNSApOwogICAgICAgICAg
ICBtZW1jcHkoIHBhdGhlbnYgKyA1LCBwYXRodmFsdWUsIHBhdGhsZW4gKyAx
ICk7CiAgICAgICAgfQogICAgfQogICAgZW52cFsgMCBdID0gcGF0aGVudjsK
ICAgIGVudnBbIDEgXSA9IE5VTEw7CgogICAgc2V0YnVmKCBzdGRvdXQsIE5V
TEwgKTsKICAgIHNldGJ1Ziggc3RkZXJyLCBOVUxMICk7CgogICAgcHJpbnRm
KCAiU3Bhd25pbmcgJXMgd2l0aCBzZWFyY2ggaW4gJFBBVEggYW5kIGEgbGlt
aXRlZCBlbnZpcm9ubWVudC4uLlxuIiwgYXJnc1sgMCBdICk7CiAgICBlYyA9
IHNwYXdudnBlKCBfUF9XQUlULCBhcmdzWyAwIF0sIGFyZ3MsIGVudnAgKTsK
ICAgIHByaW50ZiggIkV4aXQgY29kZTogJWRcblxuIiwgZWMgKTsKCiAgICBw
cmludGYoICJMb2FkaW5nICVzIHdpdGggc2VhcmNoIGluICRQQVRIIGFuZCBp
bmhlcml0ZWQgZW52aXJvbm1lbnQuLi5cbiIsIGFyZ3NbIDAgXSApOwogICAg
Ly8gVGhlIHByb3RvdHlwZSBpbiB1bmlzdGQuaCBkaWZmZXJzIGZyb20gdGhl
IG9uZSBpbiBwcm9jZXNzLmguICBUaGUgZm9ybWVyCiAgICAvLyBkb2VzIG5v
dCBwcm9taXNlIHRvIGtlZXAgdGhlIHBvaW50ZXJzIGludGFjdC4KICAgIGV4
ZWN2cCggYXJnc1sgMCBdLCBtdXRhYmxlX2FyZ3MgKTsKICAgIGVjID0gZXJy
bm87CiAgICBwcmludGYoICJMb2FkIGVycm9yOiAlcyAoJWQpXG4iLCBzdHJl
cnJvciggZWMgKSwgZWMgKTsKICAgIHJldHVybiBlYzsKfQoK

--0-665985279-1268681558=:56628
Content-Type: text/plain; name="exec-test-case2.txt"
Content-Transfer-Encoding: base64
Content-Disposition: attachment; filename="exec-test-case2.txt"

QzpcV09SSz4uXGV4ZWMuZXhlIC4uXGVjaG8uZXhlDQpTcGF3bmluZyAuLlxl
Y2hvLmV4ZSB3aXRoIHNlYXJjaCBpbiAkUEFUSCBhbmQgYSBsaW1pdGVkIGVu
dmlyb25tZW50Li4uDQphYmMNCkV4aXQgY29kZTogMA0KDQpMb2FkaW5nIC4u
XGVjaG8uZXhlIHdpdGggc2VhcmNoIGluICRQQVRIIGFuZCBpbmhlcml0ZWQg
ZW52aXJvbm1lbnQuLi4NCkxvYWQgZXJyb3I6IE5vIHN1Y2ggZmlsZSBvciBk
aXJlY3RvcnkgKDIpDQoNCkM6XFdPUks+Y29weSBcY3lnd2luXGJpblxjeWd3
aW4xLmRsbC5uZXcgXGN5Z3dpblxiaW5cY3lnd2luMS5kbGwNCk92ZXJ3cml0
ZSBcY3lnd2luXGJpblxjeWd3aW4xLmRsbD8gKFllcy9Oby9BbGwpOiB5DQog
ICAgICAgIDEgZmlsZShzKSBjb3BpZWQuDQoNCkM6XFdPUks+LlxleGVjLmV4
ZSAuLlxlY2hvLmV4ZQ0KU3Bhd25pbmcgLi5cZWNoby5leGUgd2l0aCBzZWFy
Y2ggaW4gJFBBVEggYW5kIGEgbGltaXRlZCBlbnZpcm9ubWVudC4uLg0KYWJj
DQpFeGl0IGNvZGU6IDANCg0KTG9hZGluZyAuLlxlY2hvLmV4ZSB3aXRoIHNl
YXJjaCBpbiAkUEFUSCBhbmQgaW5oZXJpdGVkIGVudmlyb25tZW50Li4uDQph
YmMNCg0KQzpcV09SSz4NCg0K


--0-665985279-1268681558=:56628
Content-Type: text/plain; charset=us-ascii

--
Problem reports:       http://cygwin.com/problems.html
FAQ:                   http://cygwin.com/faq/
Documentation:         http://cygwin.com/docs.html
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple
--0-665985279-1268681558=:56628--