On 6/18/2010 2:52 PM, Bob Friesenhahn wrote: > On Fri, 18 Jun 2010, Charles Wilson wrote: >> >>> If so, this raises security implications >>> that we want to avoid. >> >> I don't think so. > > Hopefully not. If a binary from an executable program is placed at the > path "C:\cygwin\bin\last" (with no .exe extension) does LoadLibrary() > load it?
On Vista, no. I moved last.exe out of the way (last-foo). I copied last-foo to 'last' with no extension, and verified that it did not, in fact, have the .exe added. I then stepped thru the code, and both dlopen and LoadLibrary returned null when given (in either unix or dos format, as appropriate) "/usr/bin/last" However, since this exe image had no exports, I thought perhaps it might be failing for that reason. So, I copied a DLL to /usr/bin/last, and tried again. Same story: neither dlopen nor LoadLibrary opened it. Now, this is on Vista. I dunno how earlier OSes might react. > Since we are on the subject, it is good to make sure that Windows really > is in good shape security-wise. Ooooh, oooh, pick me, pick me -- I know this one... It (meaning windows, not necessarily "libltdl" on windows) isn't. But we're NOT on the subject. We're talking about a patch for lt_dlerror, and how it -- or, with slight modifications to the machinery the patch puts into place -- enables easier debugging of a long-standing cygwin regression. Now, however, we've drifted off topic more thoroughly into the details of that cygwin regression and that's my fault. Sorry Peter. But we shouldn't go off on yet another tangent, so if we want to start a new "Let's make Bill Gates' masterpiece secure for him" thread, let's do that and not make this one more incoherent than it already is. > Windows paranoia about downloaded files might go away if the file > extension is missing so it is good to know if it will still attempt to > load an exectuable or DLL which has its file extension missing. Well, apparently it won't -- on Vista. -- Chuck
