Greetings, Kaz Kylheku! > Hi all,
> I'm reading an article on attacks that are evidently possible against some > Windows > programs in the area of command line parsing. See below. > Does the Cygwin run-time rely on GetCommandLineA to get the char-based command > line that is parsed into argv[]? You can answer this question yourself. The code is open. > If so, it could be vulnerable to attacks which embed Unicode quotes into the > command line, which GetCommandLineA normalizes to ASCII double quotes. > A program which prepares a command line will assiduously escape any double > quotes occurring in the arguments. But if fullwidth Unicode double quotes > occur in the arguments, they will be passed through verbatim, and then > turn into unescaped ASCII double quotes. > Article: > https://blog.orange.tw/posts/2025-01-worstfit-unveiling-hidden-transformers-in-windows-ansi/ -- With best regards, Andrey Repin Friday, January 10, 2025 10:32:40 Sorry for my terrible english... -- Problem reports: https://cygwin.com/problems.html FAQ: https://cygwin.com/faq/ Documentation: https://cygwin.com/docs.html Unsubscribe info: https://cygwin.com/ml/#unsubscribe-simple
