From 05adca525608343e116de898ff6f3b0cd3300429 Mon Sep 17 00:00:00 2001 From: oehhar Date: Fri, 3 Nov 2023 11:25:01 +0000 Subject: Ticket [21b0629c] introduced additional exec quoting for Windows, but did not document it. Here is a proposed documentation. --- doc/exec.n | 31 +++++++++++++++++++++++++++++++ 1 file changed, 31 insertions(+) diff --git a/doc/exec.n b/doc/exec.n index d7fd96b..dc1c8c5 100644 --- a/doc/exec.n +++ b/doc/exec.n @@ -234,6 +234,37 @@ processor (\fBcmd.exe /c\fR), because this causes truncation of command-line (also the argument chain) on the first newline character. But it works properly with an executable (using CommandLineToArgv, etc). .PP +\fBVulnerable arguments\fR +.RS +If invoking batch files or other specific programs, the Windows environment +does execute programs mentioned in the arguments or replace environment +variables, which may breake any already existing quoting (for example, if the +environment variable contains a special character like a \fB"\fR). +Examples are: +.CS +% exec my-echo.cmd {test&whoami} + test + mylogin +% exec my-echo.cmd "ENV X:%X%" + ENV X: CONTENT OF X +.CE +This might be seen as a vulnerability. In consequence, the following formatting +is automatically performed on any argument item: +.IP \(bu 3 +Avoid subprogram execution: +Any non-paired special +characters (\fB&\fR, \fB|\fR, \fB^\fR, \fB<\fR, \fB>\fR, \fB!\fR, \fB(\fR, +\fB)\fR, \fB(\fR, \fB%\fR) are automatically enclosed in quotes (\fB"\fR). +.IP \(bu 3 +Avoid environment variable replacement: +Any appearence of environment variable reference (\fB%\fR) is individually quoted +by \fB"\fR. +.PP +This quoting was introduced in TCL 8.6.10 breaking present scripts which rely on +the replacement functionality to avoid. A solution with command parameters is +envisaged for TCL 8.6.14. +.RE +.PP The Tk console text widget does not provide real standard IO capabilities. Under Tk, when redirecting from standard input, all applications will see an immediate end-of-file; information redirected to standard output or standard -- cgit v0.12 From 352f3ff588c3d6ca7b832fd69a88416d9ea0c0f9 Mon Sep 17 00:00:00 2001 From: oehhar Date: Mon, 6 Nov 2023 16:36:58 +0000 Subject: Exec documentation: refine Windows quoting section (thanks, Sergey !) --- doc/exec.n | 30 +++++++++++++++++++----------- 1 file changed, 19 insertions(+), 11 deletions(-) diff --git a/doc/exec.n b/doc/exec.n index dc1c8c5..4024ffe 100644 --- a/doc/exec.n +++ b/doc/exec.n @@ -234,12 +234,17 @@ processor (\fBcmd.exe /c\fR), because this causes truncation of command-line (also the argument chain) on the first newline character. But it works properly with an executable (using CommandLineToArgv, etc). .PP -\fBVulnerable arguments\fR +\fBArgument quoting\fR .RS +Each argument of the \fBexec\fR command is mapped to an argument of the called +program by an adaptive quoting by adding quote characters (\fB"\fR) around the +arguments. +.PP If invoking batch files or other specific programs, the Windows environment does execute programs mentioned in the arguments or replace environment -variables, which may breake any already existing quoting (for example, if the -environment variable contains a special character like a \fB"\fR). +variables, which may have side effects (vulnerabilities) or break any already +existing quoting (for example, if the environment variable contains a special +character like a \fB"\fR). Examples are: .CS % exec my-echo.cmd {test&whoami} @@ -248,21 +253,24 @@ Examples are: % exec my-echo.cmd "ENV X:%X%" ENV X: CONTENT OF X .CE -This might be seen as a vulnerability. In consequence, the following formatting -is automatically performed on any argument item: +In consequence, the following formatting is automatically performed on any +argument item: .IP \(bu 3 Avoid subprogram execution: -Any non-paired special -characters (\fB&\fR, \fB|\fR, \fB^\fR, \fB<\fR, \fB>\fR, \fB!\fR, \fB(\fR, -\fB)\fR, \fB(\fR, \fB%\fR) are automatically enclosed in quotes (\fB"\fR). +Any special character argument containing a special character (\fB&\fR, \fB|\fR, +\fB^\fR, \fB<\fR, \fB>\fR, \fB!\fR, \fB(\fR, \fB)\fR, \fB(\fR, \fB%\fR) +is automatically enclosed in quotes (\fB"\fR). Any data quote is escaped by +appropriate sequences like a double-quote. .IP \(bu 3 Avoid environment variable replacement: Any appearence of environment variable reference (\fB%\fR) is individually quoted by \fB"\fR. .PP -This quoting was introduced in TCL 8.6.10 breaking present scripts which rely on -the replacement functionality to avoid. A solution with command parameters is -envisaged for TCL 8.6.14. +TCL 8.6.10 refined this quoting by adding quoting for data quotes and individual +quoting of "\fB%\fR". +This may break present scripts which rely on the replacement functionality of +environment variables. +A solution with command parameters is envisaged for a future release of TCL. .RE .PP The Tk console text widget does not provide real standard IO capabilities. -- cgit v0.12 From cea34b6d9878e7861e983182282b2905b4a2175f Mon Sep 17 00:00:00 2001 From: oehhar Date: Mon, 6 Nov 2023 16:45:18 +0000 Subject: Remove the quoting example by ". It is more complicated than that, so be quiet. --- doc/exec.n | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/doc/exec.n b/doc/exec.n index 4024ffe..f4a1702 100644 --- a/doc/exec.n +++ b/doc/exec.n @@ -260,7 +260,7 @@ Avoid subprogram execution: Any special character argument containing a special character (\fB&\fR, \fB|\fR, \fB^\fR, \fB<\fR, \fB>\fR, \fB!\fR, \fB(\fR, \fB)\fR, \fB(\fR, \fB%\fR) is automatically enclosed in quotes (\fB"\fR). Any data quote is escaped by -appropriate sequences like a double-quote. +appropriate sequences. .IP \(bu 3 Avoid environment variable replacement: Any appearence of environment variable reference (\fB%\fR) is individually quoted -- cgit v0.12 From a4ac20392acd864a5b3d95221edf1bafc6737b23 Mon Sep 17 00:00:00 2001 From: oehhar Date: Fri, 10 Nov 2023 10:54:39 +0000 Subject: Exec wordsmithing. Thanks, Sergey! --- doc/exec.n | 22 +++++++++++----------- 1 file changed, 11 insertions(+), 11 deletions(-) diff --git a/doc/exec.n b/doc/exec.n index f4a1702..a0008ad 100644 --- a/doc/exec.n +++ b/doc/exec.n @@ -236,15 +236,15 @@ But it works properly with an executable (using CommandLineToArgv, etc). .PP \fBArgument quoting\fR .RS -Each argument of the \fBexec\fR command is mapped to an argument of the called -program by an adaptive quoting by adding quote characters (\fB"\fR) around the -arguments. -.PP -If invoking batch files or other specific programs, the Windows environment -does execute programs mentioned in the arguments or replace environment -variables, which may have side effects (vulnerabilities) or break any already -existing quoting (for example, if the environment variable contains a special -character like a \fB"\fR). +The arguments of the \fBexec\fR command are mapped to the arguments of the called +program. Additional quote characters (\fB"\fR) are automatically added around +arguments if expected. Special characters are escaped by inserting backslash +characters. +.PP +The MS-Windows environment does execute programs mentioned in the arguments and +called batch files (conspec) replace environment variables, which may have side +effects (vulnerabilities) or break any already existing quoting (for example, +if the environment variable contains a special character like a \fB"\fR). Examples are: .CS % exec my-echo.cmd {test&whoami} @@ -253,14 +253,14 @@ Examples are: % exec my-echo.cmd "ENV X:%X%" ENV X: CONTENT OF X .CE -In consequence, the following formatting is automatically performed on any +The following formatting is automatically performed on any argument item: .IP \(bu 3 Avoid subprogram execution: Any special character argument containing a special character (\fB&\fR, \fB|\fR, \fB^\fR, \fB<\fR, \fB>\fR, \fB!\fR, \fB(\fR, \fB)\fR, \fB(\fR, \fB%\fR) is automatically enclosed in quotes (\fB"\fR). Any data quote is escaped by -appropriate sequences. +insertion of backslash characters. .IP \(bu 3 Avoid environment variable replacement: Any appearence of environment variable reference (\fB%\fR) is individually quoted -- cgit v0.12