DMARC-Filter: OpenDMARC Filter v1.4.2 delorie.com 51A3nO6P4014416 Authentication-Results: delorie.com; dmarc=pass (p=none dis=none) header.from=cygwin.com Authentication-Results: delorie.com; spf=pass smtp.mailfrom=cygwin.com DKIM-Filter: OpenDKIM Filter v2.11.0 delorie.com 51A3nO6P4014416 Authentication-Results: delorie.com; dkim=pass (1024-bit key, unprotected) header.d=cygwin.com header.i=@cygwin.com header.a=rsa-sha256 header.s=default header.b=l66dgHan X-Recipient: archive-cygwin AT delorie DOT com DKIM-Filter: OpenDKIM Filter v2.11.0 sourceware.org 07E8D3857C5D DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cygwin.com; s=default; t=1739159363; bh=e/0crjL+TzyholxHCZ/MK+S2rq4RsF4PY3xoKsI75xA=; h=References:In-Reply-To:Date:Subject:To:Cc:List-Id: List-Unsubscribe:List-Archive:List-Post:List-Help:List-Subscribe: From:Reply-To:From; b=l66dgHan29Poe0mmNDMKvBMdf3cmR5ywVYaXOXasXZyUQs+NDz2yg2NjWWeEpBYzJ 4gFczK8zKIYhh1r8ht8MzZQGQBM70Jbd2MUUSnreS/fquTGvRpf+cB919kwmP2g7KA 6FCTCICFSmcq8/jog2bMJGrRhuJw9FCNpD0ZsgR8= X-Original-To: cygwin AT cygwin DOT com Delivered-To: cygwin AT cygwin DOT com DMARC-Filter: OpenDMARC Filter v1.4.2 sourceware.org EA8A83858C35 ARC-Filter: OpenARC Filter v1.0.0 sourceware.org EA8A83858C35 ARC-Seal: i=1; a=rsa-sha256; d=sourceware.org; s=key; t=1739159301; cv=none; b=AMTj9bAuVv3x2I/cPglG/LI0HAMLl/mqieWNjmrcTo0YAvVfYBZl+rCnOZr+WjSoeCd0fhrIxxMNVfJDRmx990XRCQensenbIJTpz8VN0wemHrulcBkVmZ+Hw8m+WpcUempxfoZ+Q3u8BQKh8ao5iSo5wofJ26F2Euiz2JIrLiE= ARC-Message-Signature: i=1; a=rsa-sha256; d=sourceware.org; s=key; t=1739159301; c=relaxed/simple; bh=UKq9OFB7pA2R9/+ASBLdgOWXSk1d0TSvqDQbvP9lPrE=; h=DKIM-Signature:MIME-Version:From:Date:Message-ID:Subject:To; b=b1xGAIJ8AqHxa7kzu1L8x3zRPu/j+z85H+J23QzhzpHUuEudqcRKI1GIuQS+nNi39yEaIjJ6Y0qmcABXNx6eUsuT1KptXNBH/T3+s7jnm9i1zqz9c1dg1iNWQvN95k3cPYG+SLHALrB5b9kv9W6JTgFoY6O+Pqrl8Ix50fxSew4= ARC-Authentication-Results: i=1; server2.sourceware.org DKIM-Filter: OpenDKIM Filter v2.11.0 sourceware.org EA8A83858C35 X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1739159300; x=1739764100; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=yPRboDe6t1kZfVug8STShLtXkLfDotdmwW+et3UIyxw=; b=ekTc7UVhMkQbCAVKprouQhi0j95zCYsnmDt/S7iys9/7EMl6W5I8hNowxpxo4kZvjg 7VBcZkCMOvWHD8bLopbQG7LlGaSAXlBK0E2as9Ci1XvAo/sgxcOnJH43FmO6ldt/VsR9 8dRE+JQdZ268LS9HbapJRw0zjgsdCQLkBluZ9ORg1Y66UyYKcyeGm4CjDCECVigj+PxW 49ugES58K8tWoR28wTcM14uz8oA31181EXcYGvfgymAZNnnjxy3Fr+el0FeIhbIMPeuZ zxzW/LavCllmpvKG0b602Jkrms78Dh6LteiRixLSSZlBp/yfBVBGThf7mQF+TvpTl53Y otnA== X-Gm-Message-State: AOJu0Yy82tNGM9GbKzxTeUBdo2hPFk6VNjJqyWsLA0dCRoi8IFXjhi36 JQIZGgAKd1W5xsUUpdPnB0wySbeSygRAoXLp8oqQomD/DU3crj/5R/YMQC724VL75vdCJZnUpmp vfdRDwVGUyeYvOBjidQuqdybo1ZJGbwuVGPgfsBftBicaMpECGk4= X-Gm-Gg: ASbGncv42PL6HE/fxWQvXI90t7V6A1UZGTfXfp901PNrz9klHDs9UW5xjqgQ1p2gAHJ CPAZNoRsDFvgoOY2/+PuCTINIcLE/qmtkbY6f4mkDUtovdhcVrfgHQg7/Q07xssDsV2sXYw== X-Google-Smtp-Source: AGHT+IHJuV0vq9jKip1c29AwSJuqI5RGIv+5HnpJ2mXSpnxcCPMLiGw4veyHtMJfWwu3WuvW/Fn2P8bdO62QzUIwyiY= X-Received: by 2002:a05:6871:3145:b0:2b7:7abf:df6b with SMTP id 586e51a60fabf-2b83edf2696mr8685237fac.26.1739159300162; Sun, 09 Feb 2025 19:48:20 -0800 (PST) MIME-Version: 1.0 References: In-Reply-To: Date: Mon, 10 Feb 2025 11:48:09 +0800 X-Gm-Features: AWEUYZlAwxkQmXCd6Uvs3w0T_Xh6vU0sDqXqfpJfUkUaXR3ajzVwCnqQLB0Xsr8 Message-ID: Subject: Re: Potential Argument Injection Issue in Cygwin's Command Line Handling To: Glenn Strauss Cc: cygwin AT cygwin DOT com X-BeenThere: cygwin AT cygwin DOT com X-Mailman-Version: 2.1.30 List-Id: General Cygwin discussions and problem reports List-Archive: List-Post: List-Help: List-Subscribe: , From: Splitline Ng via Cygwin Reply-To: Splitline Ng Content-Type: text/plain; charset="utf-8" Sender: "Cygwin" Content-Transfer-Encoding: 8bit X-MIME-Autoconverted: from base64 to 8bit by delorie.com id 51A3nO6P4014416 > Windows is security deficient in this area, not Cygwin. > > I'll quote myself to share my opinion: > https://git.lighttpd.net/lighttpd/lighttpd1.4/src/branch/master/src/fdevent_win32.c#L543 > * The Microsoft CreateProcess() interface is criminally broken. > * Forcing argument strings to be concatenated into a single string > * only to be re-parsed by Windows can lead to security issues. > * > * Above comment from 2021 was true then as now in 2025 > * https://blog.orange.tw/posts/2025-01-worstfit-unveiling-hidden-transformers-in-windows-ansi/ Yes, I agree with you, this design has always been really problematic, that was totally a bad idea. But at this point, it's probably a huge design debt, and I imagine it’s not an easy fix for Microsoft. Back to this issue, the argument parsing logic is indeed handled by Cygwin itself, not Windows. So regardless of the question of who should be held responsible for this, I think it’s still reasonable to follow the convention. At the very least, it might be a minor inconvenience for some regular users. P.S. I did the research on the argument-splitting part of the blog post you quoted. That's why I noticed this issue, and I was also quite surprised by this bad design in Windows. Regards, splitline -- Problem reports: https://cygwin.com/problems.html FAQ: https://cygwin.com/faq/ Documentation: https://cygwin.com/docs.html Unsubscribe info: https://cygwin.com/ml/#unsubscribe-simple