DMARC-Filter: OpenDMARC Filter v1.4.2 delorie.com 5146vZfE1319040
Authentication-Results: delorie.com; dmarc=pass (p=none dis=none) header.from=cygwin.com
Authentication-Results: delorie.com; spf=pass smtp.mailfrom=cygwin.com
DKIM-Filter: OpenDKIM Filter v2.11.0 delorie.com 5146vZfE1319040
Authentication-Results: delorie.com;
	dkim=pass (1024-bit key, unprotected) header.d=cygwin.com header.i=@cygwin.com header.a=rsa-sha256 header.s=default header.b=BYe7dTm3
X-Recipient: archive-cygwin AT delorie DOT com
DKIM-Filter: OpenDKIM Filter v2.11.0 sourceware.org C3ED33858408
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cygwin.com;
	s=default; t=1738652254;
	bh=YxCQ7ioF+qsNs95xVWIR8/pzAPtEjwy3LZa1xyJYMC8=;
	h=Date:Subject:To:References:In-Reply-To:List-Id:List-Unsubscribe:
	 List-Archive:List-Post:List-Help:List-Subscribe:From:Reply-To:
	 From;
	b=BYe7dTm35OZwNJuv2KrdcmJPn0mmXpVzr8Iwv8r7g6j46DkTsTP+E1YDAtkD7oGS6
	 jfS2uXWtpfSDILxaIwhVwYGj7QWtfn4Xgu4pZdLuQuJ9EqTDHgC0Bhpxwo0kkZ9YxA
	 ao695tghBpiZ0fPwEIhVIKTTqzulqVqB1TQl8y7U=
X-Original-To: cygwin AT cygwin DOT com
Delivered-To: cygwin AT cygwin DOT com
DMARC-Filter: OpenDMARC Filter v1.4.2 sourceware.org 30AE13858D20
ARC-Filter: OpenARC Filter v1.0.0 sourceware.org 30AE13858D20
ARC-Seal: i=1; a=rsa-sha256; d=sourceware.org; s=key; t=1738652230; cv=none;
 b=LQto2Mbnh5Kp7IpaXLbd8uTMwN+IPWjcmwE+PpFVb4tS7SXnTVtprOfM0rewP+Oa/vUkQAtCTSVyqYceWjOHD2xgB8vCqV/glCSykYNXFMeI/VAUPiTB+HSv6b5MKByJaMTm0AfUW2VCilKfdACzK0opugjDI0eWE5Amny23e2I=
ARC-Message-Signature: i=1; a=rsa-sha256; d=sourceware.org; s=key;
 t=1738652230; c=relaxed/simple;
 bh=NVOGjmRy5ECWEewFwy2ngJ0gpFNHi6M16hnzxUq/6Q0=;
 h=DKIM-Signature:Message-ID:Date:MIME-Version:Subject:To:From;
 b=jgd6aeYj25O5WK4xr4JpbDg2o3j59A4HerQAEHQYu2/eY5uFbhvaiRcFuzheGk6TNtOsWI6pRI732x7eIHAIkaGhUKG6oCV4DxmgKcR5SJxeOHvweFVpMbLpjxM97PEiPmBVGsPTiBkc+UPsyfgEYEJJB8BVWJvVdLFDr484NxE=
ARC-Authentication-Results: i=1; server2.sourceware.org
DKIM-Filter: OpenDKIM Filter v2.11.0 sourceware.org 30AE13858D20
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20230601; t=1738652228; x=1739257028;
 h=content-transfer-encoding:in-reply-to:from:references:to
 :content-language:subject:user-agent:mime-version:date:message-id
 :x-gm-message-state:from:to:cc:subject:date:message-id:reply-to;
 bh=5rPr1jkzAJDmXBY+KovYjEnpfPBCGsYwgE7KAWAMC08=;
 b=Jk92rHThFoGIMEXC6m08mLSZHVugZA+PUP9M1TUQOsXcgb6QfEHtVqWFAJlXx/KaT4
 DDEsEGOBB0CnycSUIzJ/c47W34+Ah9rWdJAGMWdCS32wlJ/y5g/c/0O6CZ9cJr49QuT+
 b2qQsaHTr3R7mQlNk+bcP7K5Ubt3IgZpquADwhwiSlNSWRAYVwrTnMVqONb0+x5uObeq
 Pjez8iTciv4DTNwpKOLfhWD7m3GX8kBYEvd1MhwZhTxjBrC1d076hLUfSRPkfoCsQTsA
 fUMlDnD+0kmYXYgLIuX8loK4G5NnKpw6xSdSSn8kDsJRr725gJ/V74OQM8HOzyiZXeq5
 WRIQ==
X-Gm-Message-State: AOJu0YyncuiGd5b2VJhwDs1ld/St9rss/n4ULOQdccdI2xBGTky905C4
 mZzKSEivMkg+2y3w/MBsy9ATQoZwdhdRIEwhL3WyVyWIAtsx4im5HhniEg==
X-Gm-Gg: ASbGnctXyNH6hTqY8Tedk3qd7fl3rsxLOK3CaGg/jaARWESEBG83/hu7ZrRU1dgLrWB
 jDcTil3re7wkTZ/PLApPRMwiUn9f4BaLykkIz+b9NzvEOVV3SnJO2GtVfGGqtF0VB6j3WSsaNw1
 8aSbGJZYoS1eIAMxMDDPifQAgQclVximpdFU+ywna7hDLWzvqPIyqV3rvF3Z2pBN6CgvBBQimjv
 ROEh/RLz22aCvHkuFbSo0TVxU8RX9cEPamH1hDsJmt5aUBVr9ipkKqNsFayPxhxE4abW6SJd0oF
 QSiwp0sz9jIGdIzc/PpwmNKbf6ntqyYLGlxXbErXUTbJ5H3Y7xOulmpndOIr7v1H+Z47GAY=
X-Google-Smtp-Source: AGHT+IHk6RRJeynsAcw6eXUyRQHR0X4EgYGIj9zebGuTVqHv0BRCtTtRyWHawKTB2cSwkP7amaSdLQ==
X-Received: by 2002:a5d:47a1:0:b0:385:ed16:c8b with SMTP id
 ffacd0b85a97d-38c5195f51cmr21427194f8f.23.1738652228372; 
 Mon, 03 Feb 2025 22:57:08 -0800 (PST)
Message-ID: <864f2d4a-15a2-465b-bf81-6f81ee42e7ea@gmail.com>
Date: Tue, 4 Feb 2025 07:57:07 +0100
MIME-Version: 1.0
User-Agent: Mozilla Thunderbird
Subject: Re: Potential Argument Injection Issue in Cygwin's Command Line
 Handling
Content-Language: en-GB
To: cygwin AT cygwin DOT com
References: <CAM2z_YX8cbwea+he+83924SpZAdofp-srLk3Mzof2U4viXgctQ AT mail DOT gmail DOT com>
In-Reply-To: <CAM2z_YX8cbwea+he+83924SpZAdofp-srLk3Mzof2U4viXgctQ@mail.gmail.com>
X-BeenThere: cygwin AT cygwin DOT com
X-Mailman-Version: 2.1.30
List-Id: General Cygwin discussions and problem reports <cygwin.cygwin.com>
List-Archive: <https://cygwin.com/pipermail/cygwin/>
List-Post: <mailto:cygwin AT cygwin DOT com>
List-Help: <mailto:cygwin-request AT cygwin DOT com?subject=help>
List-Subscribe: <https://cygwin.com/mailman/listinfo/cygwin>,
 <mailto:cygwin-request AT cygwin DOT com?subject=subscribe>
From: Marco Atzeri via Cygwin <cygwin AT cygwin DOT com>
Reply-To: Marco Atzeri <marco DOT atzeri AT gmail DOT com>
Content-Type: text/plain; charset="utf-8"; Format="flowed"
Sender: "Cygwin" <cygwin-bounces~archive-cygwin=delorie DOT com AT cygwin DOT com>
Content-Transfer-Encoding: 8bit
X-MIME-Autoconverted: from base64 to 8bit by delorie.com id 5146vZfE1319040

On 04/02/2025 07:15, Splitline Huang via Cygwin wrote:
> Hello Cygwin team,
> 
> I am splitline from DEVCORE research team. I recently have observed an
> inconsistency
> in how Cygwin handles command-line parsing compared to Microsoft’s
> implementation.
> 
> 
> According to Microsoft’s documentation [1], the \" sequence should always
> be
> interpreted as a literal double quote ("):
>> A double quote mark preceded by a backslash (\") is interpreted as a
> literal
>> double quote mark (").
> 
> However, in Cygwin, the same sequence treats the backslash as a literal
> character
> and starts quote mode instead.
> 

> $ which python
> 
> /cygdrive/c/Python313/python
> 
> splitline AT SPLITLINE0D06 ~
> 
> $ python
> 
> Python 3.13.1 (tags/v3.13.1:0671451, Dec  3 2024, 19:06:28) [MSC v.1942
> 
> 64 bit (AMD64)] on win32
> 
> Type "help", "copyright", "credits" or "license" for more information.
> 
>>>> import subprocess
> 
>>>> subprocess.run(['./test.exe', '"', " a b c"]) # should be only 2 args
> 
> argv[0] = ./test
> 
> argv[1] = \
> 
> argv[2] = a
> 
> argv[3] = b
> 
> argv[4] = c
> 
> CompletedProcess(args=['./test.exe', '"', ' a b c'], returncode=0)
> 
>>>>
> 
> 
> 
> As we can see, it should originally be only 2 arguments: ["] and [ a b c].
> However,
> the command line is parsed into 4 different arguments.


$ python3.12
  Python 3.12.8 (main, Jan 31 2025, 21:29:51) [GCC 12.4.0] on cygwin
  Type "help", "copyright", "credits" or "license" for more information.
   import subprocess
   subprocess.run(['./test.exe', '"', " a b c"])
  argv[0] = ./test
  argv[1] = "
  argv[2] =  a b c
  CompletedProcess(args=['./test.exe', '"', ' a b c'], returncode=0)

it seems correct to me for a Cygwin Python

> Note: With that Python code, the spawned command line is: ./test.exe \" " a
> b c"
> 
> Please let me know if you have any questions, thanks!
> 
> Best regards,
> splitline
> DEVCORE

Regards
Marco

PS: Windows is not very consistent on quoting behaviour, e.g.
https://github.com/Azure/azure-cli/blob/dev/doc/quoting-issues-with-powershell.md



-- 
Problem reports:      https://cygwin.com/problems.html
FAQ:                  https://cygwin.com/faq/
Documentation:        https://cygwin.com/docs.html
Unsubscribe info:     https://cygwin.com/ml/#unsubscribe-simple