Hi all, I'm reading an article on attacks that are evidently possible against some Windows programs in the area of command line parsing. See below.
Does the Cygwin run-time rely on GetCommandLineA to get the char-based command line that is parsed into argv[]? If so, it could be vulnerable to attacks which embed Unicode quotes into the command line, which GetCommandLineA normalizes to ASCII double quotes. A program which prepares a command line will assiduously escape any double quotes occurring in the arguments. But if fullwidth Unicode double quotes occur in the arguments, they will be passed through verbatim, and then turn into unescaped ASCII double quotes. Article: https://blog.orange.tw/posts/2025-01-worstfit-unveiling-hidden-transformers-in-windows-ansi/ -- Problem reports: https://cygwin.com/problems.html FAQ: https://cygwin.com/faq/ Documentation: https://cygwin.com/docs.html Unsubscribe info: https://cygwin.com/ml/#unsubscribe-simple
