vista: backport execve escaping and using cocmd as shell for system, etc. (#660)

* Introduce testlib_extract() helper

* Have execve() escape double quotes in cmd.exe's preferred style

This makes it possible for us to use system() and popen() with paths
that redirect to filenames that contain spaces, e.g.

    system("echo.com hello >\"hello there.txt\"")

It's difficult to solve this problem, because WIN32 only allows passing
one single argument when launching programs and each program is allowed
to tokenize that however it wants. Most software follows the convention
of cmd.exe which is poorly documented and positively byzantine.

In the future we're going to solve this by not using cmd.exe at all and
instead embedding the cocmd.com interpreter into the system() function.
In the meantime, our documentation has been updated to help recalibrate
any expectation the user might hold regarding the security of using the
Windows command interpreter.

Fixes #644

* Introduce double quote support in cocmd.com shell

* Add some tests for execve()

* Embed cocmd.com interpreter for system() / open()

This change lets you use system() in an easier and portable way. The
problem with the call in the past has always been that bourne and
cmd.com on Windows have less than nothing in common, so pretty much the
only command system() could be used for across platforms was maybe echo.
cmd.exe is also a security liability due to its escaping rules.

Since cocmd.com implements 85% of what we need from bourne, in a really
tiny way, it makes perfect sense to be embedded in these functionss. We
get a huge performance boost too.

Fixes #644

* Support whitespace after cocmd output redirection

Co-authored-by: Justine Tunney <jtunney@gmail.com>

libc/calls/execve.c

@@ -35,6 +35,10 @@
 /**
  * Replaces current process with program.
  *
+ * On Windows, `argv` and `envp` can't contain binary strings. They need
+ * to be valid UTF-8 in order to round-trip the WIN32 API, without being
+ * corrupted.
+ *
  * @param program will not be PATH searched, see commandv()
  * @param argv[0] is the name of the program to run
  * @param argv[1,n-2] optionally specify program arguments

libc/calls/mkntcmdline.c

@@ -34,8 +34,15 @@
 static bool NeedsQuotes(const char *s) {
   if (!*s) return true;
   do {
-    if (*s == ' ' || *s == '\t') {
-      return true;
+    switch (*s) {
+      case '"':
+      case ' ':
+      case '\t':
+      case '\v':
+      case '\n':
+        return true;
+      default:
+        break;
     }
   } while (*s++);
   return false;
@@ -45,19 +52,21 @@ static inline int IsAlpha(int c) {
   return ('A' <= c && c <= 'Z') || ('a' <= c && c <= 'z');
 }
 
-/**
- * Converts System V argv to Windows-style command line.
- *
- * Escaping is performed and it's designed to round-trip with
- * GetDosArgv() or GetDosArgv(). This function does NOT escape
- * command interpreter syntax, e.g. $VAR (sh), %VAR% (cmd).
- *
- * @param cmdline is output buffer
- * @param prog is used as argv[0]
- * @param argv is an a NULL-terminated array of UTF-8 strings
- * @return freshly allocated lpCommandLine or NULL w/ errno
- * @see libc/runtime/dosargv.c
- */
+// Converts System V argv to Windows-style command line.
+//
+// Escaping is performed and it's designed to round-trip with
+// GetDosArgv() or GetDosArgv(). This function does NOT escape
+// command interpreter syntax, e.g. $VAR (sh), %VAR% (cmd).
+//
+// TODO(jart): this needs fuzzing and security review
+//
+// @param cmdline is output buffer
+// @param prog is frontloaded as argv[0]
+// @param argv is an a NULL-terminated array of UTF-8 strings
+// @return 0 on success, or -1 w/ errno
+// @raise E2BIG if everything is too huge
+// @see "Everyone quotes command line arguments the wrong way" MSDN
+// @see libc/runtime/getdosargv.c
 textwindows int mkntcmdline(char16_t cmdline[ARG_MAX / 2], const char *prog,
                             char *const argv[]) {
   char *arg;
@@ -102,8 +111,8 @@ textwindows int mkntcmdline(char16_t cmdline[ARG_MAX / 2], const char *prog,
         } else {
           // turn stuff like `less /c/...`
           //            into `less c:/...`
-          // turn stuff like `more <\\\"/c/...\\\"`
-          //            into `more <\\\"c:/...\\\"`
+          // turn stuff like `more <"/c/..."`
+          //            into `more <"c:/..."`
           if (k > 3 && IsAlpha(cmdline[k - 1]) &&
               (cmdline[k - 2] == '/' || cmdline[k - 2] == '\\') &&
               (cmdline[k - 3] == '"' || cmdline[k - 3] == ' ')) {
@@ -115,11 +124,8 @@ textwindows int mkntcmdline(char16_t cmdline[ARG_MAX / 2], const char *prog,
       if (x == '\\') {
         ++slashes;
       } else if (x == '"') {
-        for (s = 0; s < slashes * 2; ++s) {
-          APPEND(u'\\');
-        }
-        slashes = 0;
-        APPEND(u'\\');
+        APPEND(u'"');
+        APPEND(u'"');
         APPEND(u'"');
       } else {
         for (s = 0; s < slashes; ++s) {

libc/calls/mkntpath.c

@@ -173,5 +173,24 @@ textwindows int __mkntpath2(const char *path,
   p[j] = 0;
   n = j;
 
-  return x + m + n;
+  // our path is now stored at `path16` with length `n`
+  n = x + m + n;
+
+  // To avoid toil like this:
+  //
+  //     CMD.EXE was started with the above path as the current directory.
+  //     UNC paths are not supported.  Defaulting to Windows directory.
+  //     Access is denied.
+  //
+  // Remove \\?\ prefix if we're within 260 character limit.
+  if (n > 4 && n < 260 &&   //
+      path16[0] == '\\' &&  //
+      path16[1] == '\\' &&  //
+      path16[2] == '?' &&   //
+      path16[3] == '\\') {
+    memmove(path16, path16 + 4, (n - 4 + 1) * sizeof(char16_t));
+    n -= 4;
+  }
+
+  return n;
 }