DMARC-Filter: OpenDMARC Filter v1.4.2 delorie.com 50A7qvGS1431817
Authentication-Results: delorie.com; dmarc=pass (p=none dis=none) header.from=cygwin.com
Authentication-Results: delorie.com; spf=pass smtp.mailfrom=cygwin.com
DKIM-Filter: OpenDKIM Filter v2.11.0 delorie.com 50A7qvGS1431817
X-Recipient: archive-cygwin AT delorie DOT com
X-Original-To: cygwin AT cygwin DOT com
Delivered-To: cygwin AT cygwin DOT com
DMARC-Filter: OpenDMARC Filter v1.4.2 sourceware.org 7FDC33858401
ARC-Filter: OpenARC Filter v1.0.0 sourceware.org 7FDC33858401
ARC-Seal: i=1; a=rsa-sha256; d=sourceware.org; s=key; t=1736495552; cv=none;
 b=dcUqmPSCPIRvCCwIbFP8kMaln1jfTXu2jYqj3AhFx+i9Miq1wJykb12KLB/QzbunBsStPU9maYTiXdrekC+mW+utQJUYmANAhXT4E6rT4M1G0Fp2C+iYJZp1tYOxHEwIq26T9JIxLuJdvE2XUukhKfWQhihMLYk8Qv/dkjp9UPY=
ARC-Message-Signature: i=1; a=rsa-sha256; d=sourceware.org; s=key;
 t=1736495552; c=relaxed/simple;
 bh=s6s+s8ZcSkj1PebTfzh9eKFShF5uvLSiQT5skY/iI6U=;
 h=DKIM-Signature:Message-ID:Date:MIME-Version:Subject:To:From;
 b=k3ta13rOqnYlTPqlSlYQZ0sPrNmsMjCXyxAHS654NUur+5WIPsx8FZJQQNJ3/TGFnp7rsRhzAFcnOO9KhCfK63HDnqyus+fkpn+kJ8Y53OUMSZ7TSz62LFFAwST5hqLFmURcmPhF6X+ax5VdifqnGnEtd3vrtvWQa5SSFwBOfh0=
ARC-Authentication-Results: i=1; server2.sourceware.org
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20230601; t=1736495551; x=1737100351;
 h=content-transfer-encoding:in-reply-to:from:references:cc:to
 :content-language:subject:user-agent:mime-version:date:message-id
 :x-gm-message-state:from:to:cc:subject:date:message-id:reply-to;
 bh=lCF87cfCXepLPTkd4LK7NsNKG4y8Qt1ym6+TAJqAWgM=;
 b=XZUEzjAFdcPlFNz4ErV1u/35bCHRePo6mV2CHDXzlvvMLyBavddgOZu5qCnR8I4mAM
 TuWs1whQr3UYQyWpypu4LBPXGASLWBfZKyagMU1TvfHc6YhsJca/shvnIRje1G4FyluN
 uhKY9UkN1mMyUK4krw4ryIsQv7xclLkjX6nfkgMhSiSRW/VS+m1VxFjSeYwuytA/f2Hp
 PQEWNIZVKS+I3Q94hO+HrRisGrXcQXXe3sChd6fKr6rLSqSk4mBY9Q0SBGq3+MsKXhPR
 TVl9No7PRiYbIEAy99OVMM7ZDoOpv8F6m8cFRu9G+EvLS/0wBLxn2t26dg5zDiHONLKa
 TfoA==
X-Gm-Message-State: AOJu0Yy91wfnV2s8uM5LUstdgaiJw13x+BYDgB+Eh1m2gFl4qlXVBZYM
 2VigQjPb5CmWJET7M10JaD0BA14LvcHH/82JpL0HjN1K6oEUqHDPZNGe3w==
X-Gm-Gg: ASbGncuha54Cij6OOy1TPqaebjat8b6JzxEkgSfW38iZm+h31dfe90hyqNuvmGXa27N
 3CFjlQ+zML38qhDJ7yb9wBifhnWfeEpotwz5NHN0OWCKNXbCfxV0w2hp6bRFv252uDs00fFKoik
 p81KbpVPEUNz5M6qe4rwlITMDRxekLc5NjTufIcTkzm8R4BTKLjSU1QkJZdntRH82sSrzkynwaF
 qehOQ/GJv50wKFUu12jXcNrcY02IQqtc3JJ9KRhaFMu9U4JvY6sDsOVR+Gpjc7FF/sxvkeqQ/+c
 qcYI0Txj9mc8yHbACWmyXePlww1QtZhoooSwCmE=
X-Google-Smtp-Source: AGHT+IHG+rXCeRhBtaiaU2QAZKfTB3/j6j1GuvdLhaDBFUMeJNaKbZ5kM3Z5lndD6btmZp6e4KfIZw==
X-Received: by 2002:a17:907:97ce:b0:aae:8687:c41e with SMTP id
 a640c23a62f3a-ab2c3d0ecd5mr487522866b.26.1736495550807; 
 Thu, 09 Jan 2025 23:52:30 -0800 (PST)
Message-ID: <f1aa49a0-35c0-4df6-997e-33de5517adbc@gmail.com>
Date: Fri, 10 Jan 2025 08:52:29 +0100
MIME-Version: 1.0
User-Agent: Mozilla Thunderbird
Subject: Re: Cygwin main function: vulnerable to wchar_t to char conversion
 attacks or not?
Content-Language: en-GB
To: cygwin AT cygwin DOT com
Cc: Kaz Kylheku <kaz AT kylheku DOT com>
References: <2bc465c57c4826ff6eebbd566a92346e AT kylheku DOT com>
 <176904400 DOT 20250110103307 AT yandex DOT ru>
In-Reply-To: <176904400.20250110103307@yandex.ru>
X-BeenThere: cygwin AT cygwin DOT com
X-Mailman-Version: 2.1.30
List-Id: General Cygwin discussions and problem reports <cygwin.cygwin.com>
List-Archive: <https://cygwin.com/pipermail/cygwin/>
List-Post: <mailto:cygwin AT cygwin DOT com>
List-Help: <mailto:cygwin-request AT cygwin DOT com?subject=help>
List-Subscribe: <https://cygwin.com/mailman/listinfo/cygwin>,
 <mailto:cygwin-request AT cygwin DOT com?subject=subscribe>
From: Marco Atzeri via Cygwin <cygwin AT cygwin DOT com>
Reply-To: Marco Atzeri <marco DOT atzeri AT gmail DOT com>
Content-Transfer-Encoding: 7bit
Content-Type: text/plain; charset="us-ascii"; Format="flowed"
Sender: "Cygwin" <cygwin-bounces~archive-cygwin=delorie DOT com AT cygwin DOT com>

On 10/01/2025 08:33, Andrey Repin via Cygwin wrote:
> Greetings, Kaz Kylheku!
> 
>> Hi all,
> 
>> I'm reading an article on attacks that are evidently possible against some Windows
>> programs in the area of command line parsing. See below.
> 
>> Does the Cygwin run-time rely on GetCommandLineA to get the char-based command
>> line that is parsed into argv[]?
> 
> You can answer this question yourself. The code is open.

Specifically on https://cygwin.com/git/newlib-cygwin.git

/pub/Cygwin/git/newlib-cygwin
$ grep -rH GetCommandLineA .
./winsup/CVSChangeLogs.old/cygwin/ChangeLog-2013: 
(cygwin_GetCommandLineA): Ditto.
./winsup/cygwin/cygwin.din:GetCommandLineA AT 0 = cygwin_GetCommandLineA AT 0 
NOSIGFE
./winsup/cygwin/include/cygwin/version.h:  268: Export GetCommandLineA, 
GetCommandLineW
./winsup/cygwin/kernel32.cc:/* Cygwin replacement for GetCommandLineA. 
Returns a concatenated string
./winsup/cygwin/kernel32.cc:cygwin_GetCommandLineA (void)

Regards
Marco

-- 
Problem reports:      https://cygwin.com/problems.html
FAQ:                  https://cygwin.com/faq/
Documentation:        https://cygwin.com/docs.html
Unsubscribe info:     https://cygwin.com/ml/#unsubscribe-simple