On Jan 10 13:52, Kaz Kylheku via Cygwin wrote: > On 2025-01-09 23:52, Marco Atzeri wrote: > > On 10/01/2025 08:33, Andrey Repin via Cygwin wrote: > >> Greetings, Kaz Kylheku! > >> > >>> Hi all, > >> > >>> I'm reading an article on attacks that are evidently possible against > >>> some Windows > >>> programs in the area of command line parsing. See below. > >> > >>> Does the Cygwin run-time rely on GetCommandLineA to get the char-based > >>> command > >>> line that is parsed into argv[]? > >> > >> You can answer this question yourself. The code is open. > > > > Specifically on https://cygwin.com/git/newlib-cygwin.git > > > > /pub/Cygwin/git/newlib-cygwin > > $ grep -rH GetCommandLineA . > > ./winsup/CVSChangeLogs.old/cygwin/ChangeLog-2013: (cygwin_GetCommandLineA): > > Ditto. > > ./winsup/cygwin/cygwin.din:GetCommandLineA@0 = cygwin_GetCommandLineA@0 > > NOSIGFE > > ./winsup/cygwin/include/cygwin/version.h: 268: Export GetCommandLineA, > > GetCommandLineW > > ./winsup/cygwin/kernel32.cc:/* Cygwin replacement for GetCommandLineA. > > Returns a concatenated string > > ./winsup/cygwin/kernel32.cc:cygwin_GetCommandLineA (void) > > I see that the kernel32.cc function uses RtlUnicodeStringtoAnsiString. > > The article I linked to mentions this specific function. The function does the > "BestFit" thing, converting Unicode characters to ASCII pseudo-equivalents. > > If Cygwin relies on this function for converting the process command line > into main() arguments, it is likely susceptible to argument injection.
Yeah, but it doesn't. This is just a wrapper function for external apps. See function dll_crt0_1() in dcrt0.cc for the real deal. Corinna -- Problem reports: https://cygwin.com/problems.html FAQ: https://cygwin.com/faq/ Documentation: https://cygwin.com/docs.html Unsubscribe info: https://cygwin.com/ml/#unsubscribe-simple
