DMARC-Filter: OpenDMARC Filter v1.4.2 delorie.com 5146Gilf1309091 Authentication-Results: delorie.com; dmarc=pass (p=none dis=none) header.from=cygwin.com Authentication-Results: delorie.com; spf=pass smtp.mailfrom=cygwin.com DKIM-Filter: OpenDKIM Filter v2.11.0 delorie.com 5146Gilf1309091 Authentication-Results: delorie.com; dkim=pass (1024-bit key, unprotected) header.d=cygwin.com header.i=@cygwin.com header.a=rsa-sha256 header.s=default header.b=DiKXddpq X-Recipient: archive-cygwin AT delorie DOT com DKIM-Filter: OpenDKIM Filter v2.11.0 sourceware.org 3C0EE3858415 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cygwin.com; s=default; t=1738649802; bh=m93cyCR2Sq0wVES2PRir8fute+zAsP2iwNocUPpleQ4=; h=Date:Subject:To:List-Id:List-Unsubscribe:List-Archive:List-Post: List-Help:List-Subscribe:From:Reply-To:From; b=DiKXddpqrvZA2BZwZ2OVZ+fmhICcuHQTJURwjDpAlCKVrWxFuDlRpLXVTB6da1LLs brxsT/IzEBtB4i81/CDt2i4gBZ+cDiEpBPj1YtLp8UCUVqoJq7a4vW+i5yn4LPnSN4 XRGBffS/NUoMQlWNv9rjuKAgv/kBL30A6bZZAKHE= X-Original-To: cygwin AT cygwin DOT com Delivered-To: cygwin AT cygwin DOT com DMARC-Filter: OpenDMARC Filter v1.4.2 sourceware.org 318F43858D20 ARC-Filter: OpenARC Filter v1.0.0 sourceware.org 318F43858D20 ARC-Seal: i=1; a=rsa-sha256; d=sourceware.org; s=key; t=1738649770; cv=none; b=BxCph4gt5XtaU13Oggw7WVPIQPa8/YvBxjI7PqvPuVTMwZ+hLkz09+T3N5ptN/0CL+476BEKkwZ8bBHp1BTPkJiCGuO+NXePNv8q2YoXytWYfdhUaMbWW+W1bl2nkVE9fEo8Cxa9zld47RoGh8xqp9EMULUuqRCvcvAaryIk7O8= ARC-Message-Signature: i=1; a=rsa-sha256; d=sourceware.org; s=key; t=1738649770; c=relaxed/simple; bh=6Purr3hZC/W+2VCCThAgQlfvVMdV2qkzgxkAJYHhqrg=; h=DKIM-Signature:MIME-Version:From:Date:Message-ID:Subject:To; b=DEa9XdNaTB9sIkN1SQs5Z0EAWYlvob8iaRFYwdNm3BAOUoVUyMTD64OcrfzFAlZeQDkhQ2JruGG3fMtloM/7rLmgDof258QQAuLqWG9AAf9azrkmRVXPauIDoMfQY9wjzCe3QAJ+OdXC99uz4kYgF7fQ8VDpkpxwuJrIGc43Srk= ARC-Authentication-Results: i=1; server2.sourceware.org DKIM-Filter: OpenDKIM Filter v2.11.0 sourceware.org 318F43858D20 X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1738649768; x=1739254568; h=to:subject:message-id:date:from:mime-version:x-gm-message-state :from:to:cc:subject:date:message-id:reply-to; bh=WqZHNCWFhBHlFUlYe9VyxFtJrQHqIpRbeKZxDs18TK8=; b=efPBbKLoOEEjP8zwf08y0wFkc3N2tfy8CZK7ZCXlLoT+ZbSwmpyUXSX8zQTdJEs0y8 PErj/QzXNIlYs6Jgh6TaBU4qegciGwYEtTe7AgTP6owzEiF+4v9Hq1+ttpCc8EdREI0o mdYCK2sFHSZDlaDwCC0O4fJ74FiKXBo9S3h8zWLcu6ih6lUSTGLQwMiF1OKWNAIFTxPG ZjSyATqJSDoWmHqD3alqDFLTlo1i0TZOHb8/YzMk/S2vtiDetuNSkOKt04xxEUi1R1IQ +5hvS4DHBK1G7xRBjGvvkhMRvszPLaNhjH+WBIATcFTagK+mSHrQ+9VwBYTON3+dkYQK 0l2A== X-Gm-Message-State: AOJu0YwAEIbFp9OAu6G66WseexAKCku08fiSlQK7n3Me4AwUVSgKHhe8 wEMTxmyPOIHcBTA7lXnbrN115Czb6j9xQgRjkD7WagOXJ2xe3Jec5ikMV2PyGhr/txRPop2WHVl rBAkhkKQrZHcHgsCWajlPrULyTkYXgpsGvNyAFZ0lq9AGdz30x/o= X-Gm-Gg: ASbGnctv+PgimR56E4hm6Td4TiCQScF6QNKyLezjT1p3iw3rnUKZ1UU152O4j2UK3oR sy5SW7EnfPawrtaeMVoFqDzjgQZbEWD+ApgiFr0hQeOUY+sPSDTzX48DtfxKK8q2Ry9YVeg== X-Google-Smtp-Source: AGHT+IHhytzqhjeSyssJ7VTkIq8Da6Fck4tjgbK5m5dwd91U1uQVJZc2M5L6OU5+89nE/JaILi8Wgz7QSPUR+YxVTb4= X-Received: by 2002:a05:6871:400b:b0:29e:5f1f:152d with SMTP id 586e51a60fabf-2b32ef6fbf0mr15227162fac.8.1738649767963; Mon, 03 Feb 2025 22:16:07 -0800 (PST) MIME-Version: 1.0 Date: Tue, 4 Feb 2025 14:15:57 +0800 X-Gm-Features: AWEUYZlumdcgrzgO0ih8h4CXWDK7MovvxwJF3gNYEdK1WYmcakLUytS5cEVEYy0 Message-ID: Subject: Potential Argument Injection Issue in Cygwin's Command Line Handling To: cygwin AT cygwin DOT com X-Content-Filtered-By: Mailman/MimeDel 2.1.30 X-BeenThere: cygwin AT cygwin DOT com X-Mailman-Version: 2.1.30 List-Id: General Cygwin discussions and problem reports List-Archive: List-Post: List-Help: List-Subscribe: , From: Splitline Huang via Cygwin Reply-To: Splitline Huang Content-Type: text/plain; charset="utf-8" Sender: "Cygwin" Content-Transfer-Encoding: 8bit X-MIME-Autoconverted: from base64 to 8bit by delorie.com id 5146Gilf1309091 Hello Cygwin team, I am splitline from DEVCORE research team. I recently have observed an inconsistency in how Cygwin handles command-line parsing compared to Microsoft’s implementation. According to Microsoft’s documentation [1], the \" sequence should always be interpreted as a literal double quote ("): > A double quote mark preceded by a backslash (\") is interpreted as a literal > double quote mark ("). However, in Cygwin, the same sequence treats the backslash as a literal character and starts quote mode instead. [1] https://learn.microsoft.com/en-us/cpp/c-language/parsing-c-command-line-arguments This inconsistency can cause unexpected behavior when passing executable arguments via the command line (as opposed to Cygwin’s `execve` method), potentially leading to argument injection vulnerabilities. Below is my testing process using the Python from Python.org (not the Cygwin version): splitline AT SPLITLINE0D06 ~ $ which gcc /usr/bin/gcc splitline AT SPLITLINE0D06 ~ $ cat test.c #include int main(int argc, char* argv[], char* envp[]) { for (int i = 0; i < argc; ++i) printf("argv[%d] = %s\n", i, argv[i]); } splitline AT SPLITLINE0D06 ~ $ gcc test.c -o test.exe splitline AT SPLITLINE0D06 ~ $ which python /cygdrive/c/Python313/python splitline AT SPLITLINE0D06 ~ $ python Python 3.13.1 (tags/v3.13.1:0671451, Dec 3 2024, 19:06:28) [MSC v.1942 64 bit (AMD64)] on win32 Type "help", "copyright", "credits" or "license" for more information. >>> import subprocess >>> subprocess.run(['./test.exe', '"', " a b c"]) # should be only 2 args argv[0] = ./test argv[1] = \ argv[2] = a argv[3] = b argv[4] = c CompletedProcess(args=['./test.exe', '"', ' a b c'], returncode=0) >>> As we can see, it should originally be only 2 arguments: ["] and [ a b c]. However, the command line is parsed into 4 different arguments. Note: With that Python code, the spawned command line is: ./test.exe \" " a b c" Please let me know if you have any questions, thanks! Best regards, splitline DEVCORE -- Problem reports: https://cygwin.com/problems.html FAQ: https://cygwin.com/faq/ Documentation: https://cygwin.com/docs.html Unsubscribe info: https://cygwin.com/ml/#unsubscribe-simple