DMARC-Filter: OpenDMARC Filter v1.4.2 delorie.com 51BLsD0B506977
Authentication-Results: delorie.com; dmarc=pass (p=none dis=none) header.from=cygwin.com
Authentication-Results: delorie.com; spf=pass smtp.mailfrom=cygwin.com
DKIM-Filter: OpenDKIM Filter v2.11.0 delorie.com 51BLsD0B506977
Authentication-Results: delorie.com;
	dkim=pass (1024-bit key, unprotected) header.d=cygwin.com header.i=@cygwin.com header.a=rsa-sha256 header.s=default header.b=g+fmYxe3
X-Recipient: archive-cygwin AT delorie DOT com
DKIM-Filter: OpenDKIM Filter v2.11.0 sourceware.org 5DB613858406
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cygwin.com;
	s=default; t=1739310852;
	bh=gxWSRNFIVSOsbuJkShOtj6COWzBB549v0aaFh5PKrsM=;
	h=Date:Subject:To:References:In-Reply-To:List-Id:List-Unsubscribe:
	 List-Archive:List-Post:List-Help:List-Subscribe:From:Reply-To:Cc:
	 From;
	b=g+fmYxe3x9eqU4UCSpKkiJ25JqrWhcamZF6WRuCZDTgUogpEds77f+WdeiOebS6zT
	 7oFhkMBN/Ao3UbEk3oC/Ex1heiMnW2o5JwITfXK1rzF04dHW+kLxugXZZCi0C6i2jp
	 MiehVG9tLaULHJZdM3R7unhwwjpXn4qaN7y5YMUY=
X-Original-To: cygwin AT cygwin DOT com
Delivered-To: cygwin AT cygwin DOT com
DMARC-Filter: OpenDMARC Filter v1.4.2 sourceware.org 1406F3858D34
ARC-Filter: OpenARC Filter v1.0.0 sourceware.org 1406F3858D34
ARC-Seal: i=1; a=rsa-sha256; d=sourceware.org; s=key; t=1739310796; cv=none;
 b=B3A/JojZx/nSNQx0tKQWxU5a5NCKSTE5li/33JHd/qPmi1FgQ3gMctJs8bmyiQDf4v2qycfJTfLhKo1hSu5Q+3F5BE8cRtamgCRFlpAIKAqOwMUxe4GFinEibWqT3Tdxez9Znuun/IOoFRhszrJqADpM5n/G6kAB1EPc0w3UN9w=
ARC-Message-Signature: i=1; a=rsa-sha256; d=sourceware.org; s=key;
 t=1739310796; c=relaxed/simple;
 bh=n2E1jml5z5lNO5Z37t/jHey5/gArtLVOPXX0BpAjdk8=;
 h=Message-ID:Date:MIME-Version:From:Subject:To:DKIM-Signature;
 b=Di6/7J5XgWw+Xp4LFrS3utke3/ioDROguzM+MWUrY7gRUyHZPa5fz4QI7sK7iRCf1HP5g0RYrTP7VYVcm7e9AwZxlorRkXrkkx3ZbqTTNpasI0zj/Vlyc+B/WdTB6+WDtGokBgY1TL0AxA49JgBmSxM7gS1+hmAzpz29w8fqKwQ=
ARC-Authentication-Results: i=1; server2.sourceware.org
DKIM-Filter: OpenDKIM Filter v2.11.0 sourceware.org 1406F3858D34
Message-ID: <9cd08a3d-f196-4adc-8b81-6dc3abb14718@systematicsw.ab.ca>
Date: Tue, 11 Feb 2025 14:53:12 -0700
MIME-Version: 1.0
User-Agent: Mozilla Thunderbird
Subject: Re: Potential Argument Injection Issue in Cygwin's Command Line
 Handling
Content-Language: en-CA
To: cygwin AT cygwin DOT com
References: <CAM2z_YX8cbwea+he+83924SpZAdofp-srLk3Mzof2U4viXgctQ AT mail DOT gmail DOT com>
 <CAM2z_YVYuoq28ZzmZn1RTWdRYLNpGMgjBzRQnKdZ0bb4yTmv=w AT mail DOT gmail DOT com>
 <Z6ME2gh4Mu4Xz3pY AT xps13>
 <CAM2z_YUpN4RFCxxA9cLK=qU-vNqHNP7BTL0iFCM_eRg6Me3JrQ AT mail DOT gmail DOT com>
 <8ac24b73-54e9-470b-9fa8-6da07f3e2d42 AT SystematicSW DOT ab DOT ca>
 <69f47b2daf1a6a46b0200c31669e1aee AT kylheku DOT com>
Autocrypt: addr=Brian DOT Inglis AT systematicsw DOT ab DOT ca; keydata=
 xjMEXopx8xYJKwYBBAHaRw8BAQdAnCK0qv/xwUCCZQoA9BHRYpstERrspfT0NkUWQVuoePbN
 LkJyaWFuIEluZ2xpcyA8QnJpYW4uSW5nbGlzQFN5c3RlbWF0aWNTdy5hYi5jYT7ClgQTFggA
 PhYhBMM5/lbU970GBS2bZB62lxu92I8YBQJeinHzAhsDBQkJZgGABQsJCAcCBhUKCQgLAgQW
 AgMBAh4BAheAAAoJEB62lxu92I8Y0ioBAI8xrggNxziAVmr+Xm6nnyjoujMqWcq3oEhlYGAO
 WacZAQDFtdDx2koSVSoOmfaOyRTbIWSf9/Cjai29060fsmdsDM44BF6KcfMSCisGAQQBl1UB
 BQEBB0Awv8kHI2PaEgViDqzbnoe8B9KMHoBZLS92HdC7ZPh8HQMBCAfCfgQYFggAJhYhBMM5
 /lbU970GBS2bZB62lxu92I8YBQJeinHzAhsMBQkJZgGAAAoJEB62lxu92I8YZwUBAJw/74rF
 IyaSsGI7ewCdCy88Lce/kdwX7zGwid+f8NZ3AQC/ezTFFi5obXnyMxZJN464nPXiggtT9gN5
 RSyTY8X+AQ==
Organization: Systematic Software
In-Reply-To: <69f47b2daf1a6a46b0200c31669e1aee@kylheku.com>
X-Stat-Signature: xmzk4fbepz11gemx5j9o15frwqu7beut
X-Rspamd-Server: rspamout02
X-Rspamd-Queue-Id: D70F480012
X-Session-Marker: 427269616E2E496E676C69734053797374656D6174696353572E61622E6361
X-Session-ID: U2FsdGVkX1+yVKknzynn03LNLzkVEFD3ikkUbjWIXcw=
X-HE-Tag: 1739310793-409786
X-HE-Meta: U2FsdGVkX18IELwlJC17xxclsT0ahUJZZyLPRmkvF7qEFAh1GL/ZJAwelo5gAtGqvcomn5EgCToJzxCTSMHMMaIVIM4+D7eQJzyt1SxUyCjEhsT41rHJ8I2ZFX39KwMDV3TXSb4uzT7ajX0Z82Do7PL08CBpTJLK4FmJE3aSh/eKxV+IP56kfGaod0tS+Vo5yIRaB+AwSyAiGeqxcNx8Z+o5canErLgvJhYvsA2X78T8wo8RiUKCR1OvU2VQYl22XG84+TvcpKhgVSfq9RFJ0udtxROGNPhj6sowTOzceTV5ORqTuyhCOCrizF8SdExuwZ5CX1CthiTs8lpUm2GEAv/PgD/DSCl5
X-BeenThere: cygwin AT cygwin DOT com
X-Mailman-Version: 2.1.30
Precedence: list
List-Id: General Cygwin discussions and problem reports <cygwin.cygwin.com>
List-Unsubscribe: <https://cygwin.com/mailman/options/cygwin>,
 <mailto:cygwin-request AT cygwin DOT com?subject=unsubscribe>
List-Archive: <https://cygwin.com/pipermail/cygwin/>
List-Post: <mailto:cygwin AT cygwin DOT com>
List-Help: <mailto:cygwin-request AT cygwin DOT com?subject=help>
List-Subscribe: <https://cygwin.com/mailman/listinfo/cygwin>,
 <mailto:cygwin-request AT cygwin DOT com?subject=subscribe>
From: Brian Inglis via Cygwin <cygwin AT cygwin DOT com>
Reply-To: cygwin AT cygwin DOT com
Cc: Brian Inglis <Brian DOT Inglis AT systematicsw DOT ab DOT ca>,
        Kaz Kylheku <kaz AT kylheku DOT com>
Content-Type: text/plain; charset="utf-8"; Format="flowed"
Errors-To: cygwin-bounces~archive-cygwin=delorie DOT com AT cygwin DOT com
Sender: "Cygwin" <cygwin-bounces~archive-cygwin=delorie DOT com AT cygwin DOT com>
Content-Transfer-Encoding: 8bit
X-MIME-Autoconverted: from base64 to 8bit by delorie.com id 51BLsD0B506977

On 2025-02-10 19:09, Kaz Kylheku wrote:
> On 2025-02-10 12:32, Brian Inglis via Cygwin wrote:
>> One can avoid any issues by running Cygwin programs only from other Cygwin programs, and Windows programs only from other Windows programs.
> 
> Microsoft has provided a documented algorithm, which is implemented in the ShellAPI function CommandLineToArgvW, and in the CRT module that prepares arguments for the main or wmain functions of Microsoft Visual C/C++ programs.
> 
> I believe that the algorithm is sound in that it can round-trip any argv[] vector to string, and then back to recover an identical argv[].
> 
> (Am I correct?)

It appears not from the previous comments, the MS algorithm/hackaround messes up 
various argument strings and makes the original contents irretrievable, if they 
do not obey their limitations, rather than just pass along the verbatim command 
line as a string, as assumed by POSIX programs, normally preceding the 
environment in the heap, like an anonymous environment variable.

I prefer that Cygwin programs work like all other POSIX programs, as I maintain 
a few dozen packages, and build a bunch of others I use that, for the most part, 
port and run with no or only very minor patching, to work around Windows issues.

If every package had to work around the Windows issues that Cygwin handles for 
us, we would not have many packages available, and be unable to support the 
POSIX and Unix subsystems we do, that transparently interoperate with other Unix 
compatible systems Cygwin users can access around the globe.

If you want to handle Windows command lines the MS way, feel free to use Windows 
compilers and APIs, including AOCC, ICC, VC89, mingw64-x86_64-binutils/gcc, etc.

-- 
Take care. Thanks, Brian Inglis              Calgary, Alberta, Canada

La perfection est atteinte                   Perfection is achieved
non pas lorsqu'il n'y a plus rien à ajouter  not when there is no more to add
mais lorsqu'il n'y a plus rien à retrancher  but when there is no more to cut
                                 -- Antoine de Saint-Exupéry

-- 
Problem reports:      https://cygwin.com/problems.html
FAQ:                  https://cygwin.com/faq/
Documentation:        https://cygwin.com/docs.html
Unsubscribe info:     https://cygwin.com/ml/#unsubscribe-simple