Potential Argument Injection Issue in Cygwin's Command Line Handling

Mon, 03 Feb 2025 22:17:05 -0800 

Hello Cygwin team,

I am splitline from DEVCORE research team. I recently have observed an
inconsistency
in how Cygwin handles command-line parsing compared to Microsoft’s
implementation.


According to Microsoft’s documentation [1], the \" sequence should always
be
interpreted as a literal double quote ("):
> A double quote mark preceded by a backslash (\") is interpreted as a
literal
> double quote mark (").

However, in Cygwin, the same sequence treats the backslash as a literal
character
and starts quote mode instead.

[1]
https://learn.microsoft.com/en-us/cpp/c-language/parsing-c-command-line-arguments

This inconsistency can cause unexpected behavior when passing executable
arguments
via the command line (as opposed to Cygwin’s `execve` method), potentially
leading
to argument injection vulnerabilities.


Below is my testing process using the Python from Python.org (not the
Cygwin version):


splitline@SPLITLINE0D06 ~

$ which gcc

/usr/bin/gcc

splitline@SPLITLINE0D06 ~

$ cat test.c

#include <stdio.h>


int main(int argc, char* argv[], char* envp[]) {

    for (int i = 0; i < argc; ++i)

        printf("argv[%d] = %s\n", i, argv[i]);

}

splitline@SPLITLINE0D06 ~

$ gcc test.c -o test.exe

splitline@SPLITLINE0D06 ~

$ which python

/cygdrive/c/Python313/python

splitline@SPLITLINE0D06 ~

$ python

Python 3.13.1 (tags/v3.13.1:0671451, Dec  3 2024, 19:06:28) [MSC v.1942

64 bit (AMD64)] on win32

Type "help", "copyright", "credits" or "license" for more information.

>>> import subprocess

>>> subprocess.run(['./test.exe', '"', " a b c"]) # should be only 2 args

argv[0] = ./test

argv[1] = \

argv[2] = a

argv[3] = b

argv[4] = c

CompletedProcess(args=['./test.exe', '"', ' a b c'], returncode=0)

>>>



As we can see, it should originally be only 2 arguments: ["] and [ a b c].
However,
the command line is parsed into 4 different arguments.

Note: With that Python code, the spawned command line is: ./test.exe \" " a
b c"

Please let me know if you have any questions, thanks!

Best regards,
splitline
DEVCORE

-- 
Problem reports:      https://cygwin.com/problems.html
FAQ:                  https://cygwin.com/faq/
Documentation:        https://cygwin.com/docs.html
Unsubscribe info:     https://cygwin.com/ml/#unsubscribe-simple

Reply via email to