Potential Argument Injection Issue in Cygwin's Command Line Handling

Brian Inglis Brian.Inglis@systematicsw.ab.ca
Tue Feb 11 21:53:12 GMT 2025

• Previous message (by thread): Potential Argument Injection Issue in Cygwin's Command Line Handling
• Next message (by thread): Potential Argument Injection Issue in Cygwin's Command Line Handling
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

---

On 2025年02月10日 19:09, Kaz Kylheku wrote:
> On 2025年02月10日 12:32, Brian Inglis via Cygwin wrote:
>> One can avoid any issues by running Cygwin programs only from other Cygwin programs, and Windows programs only from other Windows programs.
>> Microsoft has provided a documented algorithm, which is implemented in the ShellAPI function CommandLineToArgvW, and in the CRT module that prepares arguments for the main or wmain functions of Microsoft Visual C/C++ programs.
>> I believe that the algorithm is sound in that it can round-trip any argv[] vector to string, and then back to recover an identical argv[].
>> (Am I correct?)

It appears not from the previous comments, the MS algorithm/hackaround messes up 
various argument strings and makes the original contents irretrievable, if they 
do not obey their limitations, rather than just pass along the verbatim command 
line as a string, as assumed by POSIX programs, normally preceding the 
environment in the heap, like an anonymous environment variable.
I prefer that Cygwin programs work like all other POSIX programs, as I maintain 
a few dozen packages, and build a bunch of others I use that, for the most part, 
port and run with no or only very minor patching, to work around Windows issues.
If every package had to work around the Windows issues that Cygwin handles for 
us, we would not have many packages available, and be unable to support the 
POSIX and Unix subsystems we do, that transparently interoperate with other Unix 
compatible systems Cygwin users can access around the globe.
If you want to handle Windows command lines the MS way, feel free to use Windows 
compilers and APIs, including AOCC, ICC, VC89, mingw64-x86_64-binutils/gcc, etc.
-- 
Take care. Thanks, Brian Inglis Calgary, Alberta, Canada
La perfection est atteinte Perfection is achieved
non pas lorsqu'il n'y a plus rien à ajouter not when there is no more to add
mais lorsqu'il n'y a plus rien à retrancher but when there is no more to cut
 -- Antoine de Saint-Exupéry

---

• Previous message (by thread): Potential Argument Injection Issue in Cygwin's Command Line Handling
• Next message (by thread): Potential Argument Injection Issue in Cygwin's Command Line Handling
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

---

More information about the Cygwin mailing list