On 2025-02-09 20:48, Splitline Ng via Cygwin wrote:
Windows is security deficient in this area, not Cygwin.
I'll quote myself to share my opinion:
https://git.lighttpd.net/lighttpd/lighttpd1.4/src/branch/master/src/fdevent_win32.c#L543
* The Microsoft CreateProcess() interface is criminally broken.
* Forcing argument strings to be concatenated into a single string
* only to be re-parsed by Windows can lead to security issues.
*
* Above comment from 2021 was true then as now in 2025
*
https://blog.orange.tw/posts/2025-01-worstfit-unveiling-hidden-transformers-in-windows-ansi/
Yes, I agree with you, this design has always been really problematic,
that was totally a bad idea. But at this point, it's probably a huge
design debt, and I imagine it’s not an easy fix for Microsoft.
Back to this issue, the argument parsing logic is indeed handled by
Cygwin itself, not Windows. So regardless of the question of who
should be held responsible for this, I think it’s still reasonable to
follow the convention. At the very least, it might be a minor
inconvenience for some regular users.
What part of "Cygwin - Get that Linux feeling - on Windows" - do you not get?
Cygwin's goals are to be as POSIX/Unix*/Linux compatible as possible by working
around Windows' bugs, issues, and limitations, while supporting some
interoperability with Windows programs and systems (less as we add more
POSIX/Unix/Linux compatible support).
Starting Windows programs with command line arguments from Cygwin programs and
shells may require the runner to take account of and work around Cygwin's
conventions, just as starting Cygwin programs with command line arguments from
Windows programs and shells may require the runner to take account of and work
around Windows' conventions.
One can avoid any issues by running Cygwin programs only from other Cygwin
programs, and Windows programs only from other Windows programs.
*[I say Unix because while we want to be UNIX® AKA SUSV5 Core compatible, we
also want to be compatible with the original Unix legacy embodied in
SunOS/SysV/Solaris, and BSD releases, from which our libc newlib borrows some
code with ~1500 refs in ~600 files, and Cygwin has ~600 refs in ~200 files, with
*all* patches submitted under the BSD-2-Clause licence.]
--
Take care. Thanks, Brian Inglis Calgary, Alberta, Canada
La perfection est atteinte Perfection is achieved
non pas lorsqu'il n'y a plus rien à ajouter not when there is no more to add
mais lorsqu'il n'y a plus rien à retrancher but when there is no more to cut
-- Antoine de Saint-Exupéry
--
Problem reports: https://cygwin.com/problems.html
FAQ: https://cygwin.com/faq/
Documentation: https://cygwin.com/docs.html
Unsubscribe info: https://cygwin.com/ml/#unsubscribe-simple
