> Windows is security deficient in this area, not Cygwin. > > I'll quote myself to share my opinion: > https://git.lighttpd.net/lighttpd/lighttpd1.4/src/branch/master/src/fdevent_win32.c#L543 > * The Microsoft CreateProcess() interface is criminally broken. > * Forcing argument strings to be concatenated into a single string > * only to be re-parsed by Windows can lead to security issues. > * > * Above comment from 2021 was true then as now in 2025 > * > https://blog.orange.tw/posts/2025-01-worstfit-unveiling-hidden-transformers-in-windows-ansi/
Yes, I agree with you, this design has always been really problematic, that was totally a bad idea. But at this point, it's probably a huge design debt, and I imagine it’s not an easy fix for Microsoft. Back to this issue, the argument parsing logic is indeed handled by Cygwin itself, not Windows. So regardless of the question of who should be held responsible for this, I think it’s still reasonable to follow the convention. At the very least, it might be a minor inconvenience for some regular users. P.S. I did the research on the argument-splitting part of the blog post you quoted. That's why I noticed this issue, and I was also quite surprised by this bad design in Windows. Regards, splitline -- Problem reports: https://cygwin.com/problems.html FAQ: https://cygwin.com/faq/ Documentation: https://cygwin.com/docs.html Unsubscribe info: https://cygwin.com/ml/#unsubscribe-simple
