From 05adca525608343e116de898ff6f3b0cd3300429 Mon Sep 17 00:00:00 2001 From: oehhar Date: Fri, 3 Nov 2023 11:25:01 +0000 Subject: Ticket [21b0629c] introduced additional exec quoting for Windows, but did not document it. Here is a proposed documentation. --- doc/exec.n | 31 +++++++++++++++++++++++++++++++ 1 file changed, 31 insertions(+) diff --git a/doc/exec.n b/doc/exec.n index d7fd96b..dc1c8c5 100644 --- a/doc/exec.n +++ b/doc/exec.n @@ -234,6 +234,37 @@ processor (\fBcmd.exe /c\fR), because this causes truncation of command-line (also the argument chain) on the first newline character. But it works properly with an executable (using CommandLineToArgv, etc). .PP +\fBVulnerable arguments\fR +.RS +If invoking batch files or other specific programs, the Windows environment +does execute programs mentioned in the arguments or replace environment +variables, which may breake any already existing quoting (for example, if the +environment variable contains a special character like a \fB"\fR). +Examples are: +.CS +% exec my-echo.cmd {test&whoami} + test + mylogin +% exec my-echo.cmd "ENV X:%X%" + ENV X: CONTENT OF X +.CE +This might be seen as a vulnerability. In consequence, the following formatting +is automatically performed on any argument item: +.IP \(bu 3 +Avoid subprogram execution: +Any non-paired special +characters (\fB&\fR, \fB|\fR, \fB^\fR, \fB<\fR, \fB>\fR, \fB!\fR, \fB(\fR, +\fB)\fR, \fB(\fR, \fB%\fR) are automatically enclosed in quotes (\fB"\fR). +.IP \(bu 3 +Avoid environment variable replacement: +Any appearence of environment variable reference (\fB%\fR) is individually quoted +by \fB"\fR. +.PP +This quoting was introduced in TCL 8.6.10 breaking present scripts which rely on +the replacement functionality to avoid. A solution with command parameters is +envisaged for TCL 8.6.14. +.RE +.PP The Tk console text widget does not provide real standard IO capabilities. Under Tk, when redirecting from standard input, all applications will see an immediate end-of-file; information redirected to standard output or standard -- cgit v0.12