Have execve() escape double quotes in cmd.exe's preferred style

This makes it possible for us to use system() and popen() with paths that redirect to filenames that contain spaces, e.g. system("echo.com hello >\"hello there.txt\"") It's difficult to solve this problem, because WIN32 only allows passing one single argument when launching programs and each program is allowed to tokenize that however it wants. Most software follows the convention of cmd.exe which is poorly documented and positively byzantine. In the future we're going to solve this by not using cmd.exe at all and instead embedding the cocmd.com interpreter into the system() function. In the meantime, our documentation has been updated to help recalibrate any expectation the user might hold regarding the security of using the Windows command interpreter. Fixes #644
2025-07-20 01:20:32 +00:00 · 2022-10-02 08:43:25 -07:00 · 2022-10-02 08:43:25 -07:00 · 3f3cb0650b
commit 3f3cb0650b
parent acd8900071
15 changed files with 223 additions and 95 deletions
--- a/libc/calls/execve.c
+++ b/libc/calls/execve.c
@ -35,6 +35,12 @@
 /**
 * Replaces current process with program.
 *
+ * Warning: Our implementation of argument escaping on Windows hasn't
+ * been security reviewed for optimal handling of malicious arguments
+ * when interoperating with commonly used software. We make an effort
+ * to follow the same conventions as other FOSS software, e.g. PuTTY,
+ * however each WIN32 app is permitted to tokenize args how it wants.
+ *
 * @param program will not be PATH searched, see commandv()
 * @param argv[0] is the name of the program to run
 * @param argv[1,n-2] optionally specify program arguments
--- a/libc/calls/mkntcmdline.c
+++ b/libc/calls/mkntcmdline.c
@ -34,8 +34,15 @@
 static bool NeedsQuotes(const char *s) {
  if (!*s) return true;
  do {
-    if (*s == ' ' || *s == '\t') {
-      return true;
+    switch (*s) {
+      case '"':
+      case ' ':
+      case '\t':
+      case '\v':
+      case '\n':
+        return true;
+      default:
+        break;
    }
  } while (*s++);
  return false;
@ -45,19 +52,21 @@ static inline int IsAlpha(int c) {
  return ('A' <= c && c <= 'Z') || ('a' <= c && c <= 'z');
 }

-/**
- * Converts System V argv to Windows-style command line.
- *
- * Escaping is performed and it's designed to round-trip with
- * GetDosArgv() or GetDosArgv(). This function does NOT escape
- * command interpreter syntax, e.g. $VAR (sh), %VAR% (cmd).
- *
- * @param cmdline is output buffer
- * @param prog is used as argv[0]
- * @param argv is an a NULL-terminated array of UTF-8 strings
- * @return freshly allocated lpCommandLine or NULL w/ errno
- * @see libc/runtime/dosargv.c
- */
+// Converts System V argv to Windows-style command line.
+//
+// Escaping is performed and it's designed to round-trip with
+// GetDosArgv() or GetDosArgv(). This function does NOT escape
+// command interpreter syntax, e.g. $VAR (sh), %VAR% (cmd).
+//
+// TODO(jart): this needs fuzzing and security review
+//
+// @param cmdline is output buffer
+// @param prog is frontloaded as argv[0]
+// @param argv is an a NULL-terminated array of UTF-8 strings
+// @return 0 on success, or -1 w/ errno
+// @raise E2BIG if everything is too huge
+// @see "Everyone quotes command line arguments the wrong way" MSDN
+// @see libc/runtime/getdosargv.c
 textwindows int mkntcmdline(char16_t cmdline[ARG_MAX / 2], const char *prog,
                            char *const argv[]) {
  char *arg;
@ -102,8 +111,8 @@ textwindows int mkntcmdline(char16_t cmdline[ARG_MAX / 2], const char *prog,
        } else {
          // turn stuff like `less /c/...`
          //            into `less c:/...`
-          // turn stuff like `more <\\\"/c/...\\\"`
-          //            into `more <\\\"c:/...\\\"`
+          // turn stuff like `more <"/c/..."`
+          //            into `more <"c:/..."`
          if (k > 3 && IsAlpha(cmdline[k - 1]) &&
              (cmdline[k - 2] == '/' || cmdline[k - 2] == '\\') &&
              (cmdline[k - 3] == '"' || cmdline[k - 3] == ' ')) {
@ -115,11 +124,8 @@ textwindows int mkntcmdline(char16_t cmdline[ARG_MAX / 2], const char *prog,
      if (x == '\\') {
        ++slashes;
      } else if (x == '"') {
-        for (s = 0; s < slashes * 2; ++s) {
-          APPEND(u'\\');
-        }
-        slashes = 0;
-        APPEND(u'\\');
+        APPEND(u'"');
+        APPEND(u'"');
        APPEND(u'"');
      } else {
        for (s = 0; s < slashes; ++s) {
--- a/libc/calls/mkntpath.c
+++ b/libc/calls/mkntpath.c
@ -17,8 +17,8 @@
 │ PERFORMANCE OF THIS SOFTWARE.                                                │
 ╚─────────────────────────────────────────────────────────────────────────────*/
 #include "libc/calls/ntmagicpaths.internal.h"
-#include "libc/intrin/strace.internal.h"
 #include "libc/calls/syscall_support-nt.internal.h"
+#include "libc/intrin/strace.internal.h"
 #include "libc/macros.internal.h"
 #include "libc/nt/systeminfo.h"
 #include "libc/str/oldutf16.internal.h"
@ -173,5 +173,24 @@ textwindows int __mkntpath2(const char *path,
  p[j] = 0;
  n = j;

-  return x + m + n;
+  // our path is now stored at `path16` with length `n`
+  n = x + m + n;
+
+  // To avoid toil like this:
+  //
+  //     CMD.EXE was started with the above path as the current directory.
+  //     UNC paths are not supported.  Defaulting to Windows directory.
+  //     Access is denied.
+  //
+  // Remove \\?\ prefix if we're within 260 character limit.
+  if (n > 4 && n < 260 &&   //
+      path16[0] == '\\' &&  //
+      path16[1] == '\\' &&  //
+      path16[2] == '?' &&   //
+      path16[3] == '\\') {
+    memmove(path16, path16 + 4, (n - 4 + 1) * sizeof(char16_t));
+    n -= 4;
+  }
+
+  return n;
 }