From 26b477b907a50ee208b80c65849b93a8dcfea948 Mon Sep 17 00:00:00 2001 From: sebres Date: Mon, 20 Aug 2018 14:35:44 +0000 Subject: win: fixes [21b0629c81] - exec/open process pipe under windows (0-day vulnerability - insufficient escape) --- tests/winPipe.test | 8 +++--- win/tclWinPipe.c | 77 ++++++++++++++++++++++++++++++------------------------ 2 files changed, 47 insertions(+), 38 deletions(-) diff --git a/tests/winPipe.test b/tests/winPipe.test index f993e0c..c5d3846 100644 --- a/tests/winPipe.test +++ b/tests/winPipe.test @@ -323,22 +323,22 @@ test winpipe-7.2 {BuildCommandLine: null arguments} {win exec} { } {foo "" bar} test winpipe-7.3 {BuildCommandLine: dbl quote quoting #1} {win exec} { exec $env(COMSPEC) /c echo foo "\"" bar -} {foo \" bar} +} {foo "\"" bar} test winpipe-7.4 {BuildCommandLine: dbl quote quoting #2} {win exec} { exec $env(COMSPEC) /c echo foo {""} bar -} {foo \"\" bar} +} {foo "\"\"" bar} test winpipe-7.5 {BuildCommandLine: dbl quote quoting #3} {win exec} { exec $env(COMSPEC) /c echo foo "\" " bar } {foo "\" " bar} test winpipe-7.6 {BuildCommandLine: dbl quote quoting #4} {win exec} { exec $env(COMSPEC) /c echo foo {a="b"} bar -} {foo a=\"b\" bar} +} {foo "a=\"b\"" bar} test winpipe-7.7 {BuildCommandLine: dbl quote quoting #5} {win exec} { exec $env(COMSPEC) /c echo foo {a = "b"} bar } {foo "a = \"b\"" bar} test winpipe-7.8 {BuildCommandLine: dbl quote quoting #6} {win exec} { exec $env(COMSPEC) /c echo {"hello"} {""hello""} {"""hello"""} {"\"hello\""} {he llo} "he \" llo" -} {\"hello\" \"\"hello\"\" \"\"\"hello\"\"\" \"\\\"hello\\\"\" "he llo" "he \" llo"} +} {"\"hello\"" "\"\"hello\"\"" "\"\"\"hello\"\"\"" "\"\\\"hello\\\"\"" "he llo" "he \" llo"} test winpipe-7.9 {BuildCommandLine: N backslashes followed a quote rule #1} {win exec} { exec $env(COMSPEC) /c echo foo \\ bar } {foo \ bar} diff --git a/win/tclWinPipe.c b/win/tclWinPipe.c index e0d8c63..496e35b 100644 --- a/win/tclWinPipe.c +++ b/win/tclWinPipe.c @@ -1540,6 +1540,8 @@ BuildCommandLine( int quote, i; Tcl_DString ds; + const static char *specMetaChars = "&|^<>!%()"; + Tcl_DStringInit(&ds); /* @@ -1567,52 +1569,59 @@ BuildCommandLine( Tcl_UniChar ch; for (start = arg; *start != '\0'; start += count) { count = Tcl_UtfToUniChar(start, &ch); - if (Tcl_UniCharIsSpace(ch)) { /* INTL: ISO space. */ + if (Tcl_UniCharIsSpace(ch) || + (count == 1 && (*start=='"' || strchr(specMetaChars, *start))) + ) { + /* must be quoted */ quote = 1; break; } } } - if (quote) { + if (!quote) { + Tcl_DStringAppend(&ds, arg, -1); + } else { Tcl_DStringAppend(&ds, "\"", 1); - } - start = arg; - for (special = arg; ; ) { - if ((*special == '\\') && (special[1] == '\\' || - special[1] == '"' || (quote && special[1] == '\0'))) { - Tcl_DStringAppend(&ds, start, (int) (special - start)); - start = special; - while (1) { - special++; - if (*special == '"' || (quote && *special == '\0')) { - /* - * N backslashes followed a quote -> insert N * 2 + 1 - * backslashes then a quote. - */ - - Tcl_DStringAppend(&ds, start, - (int) (special - start)); - break; + start = arg; + for (special = arg; *special != '\0'; ) { + if (*special == '\\' && (special[1] == '\\' || special[1] == '"' || special[1] == '\0')) { + if (special > start) { + Tcl_DStringAppend(&ds, start, (int) (special - start)); } - if (*special != '\\') { - break; + Tcl_DStringAppend(&ds, "\\\\", 2); + start = ++special; + continue; + } + if (*special == '"') { + quote ^= 2; /* observe unpaired quotes */ + if (special > start) { + Tcl_DStringAppend(&ds, start, (int) (special - start)); } + Tcl_DStringAppend(&ds, "\\\"", 2); + start = ++special; + continue; } - Tcl_DStringAppend(&ds, start, (int) (special - start)); - start = special; + /* unpaired (escaped) quote causes special handling on meta-chars */ + if ((quote & 2) && strchr(specMetaChars, *special)) { + if (special > start) { + Tcl_DStringAppend(&ds, start, (int) (special - start)); + } + /* unpaired - escape all special chars inside quotes "..." */ + Tcl_DStringAppend(&ds, "\"", 1); + start = special; + do { + special++; + } while(*special && strchr(specMetaChars, *special)); + Tcl_DStringAppend(&ds, start, (int) (special - start)); + Tcl_DStringAppend(&ds, "\"", 1); + start = special; + continue; + } + special++; } - if (*special == '"') { + if (special > start) { Tcl_DStringAppend(&ds, start, (int) (special - start)); - Tcl_DStringAppend(&ds, "\\\"", 2); - start = special + 1; } - if (*special == '\0') { - break; - } - special++; - } - Tcl_DStringAppend(&ds, start, (int) (special - start)); - if (quote) { Tcl_DStringAppend(&ds, "\"", 1); } } -- cgit v0.12 From d660b325b58998ff0627e899550abf58bf260174 Mon Sep 17 00:00:00 2001 From: sebres Date: Mon, 20 Aug 2018 16:15:37 +0000 Subject: small amend: avoid reset of unpaired quote flag between arguments (previous affects next) + test cases extended with several injection checks. --- tests/winPipe.test | 169 ++++++++++++++++++++++++++++++++++------------------- win/tclWinPipe.c | 25 +++++--- 2 files changed, 126 insertions(+), 68 deletions(-) diff --git a/tests/winPipe.test b/tests/winPipe.test index c5d3846..eb0a854 100644 --- a/tests/winPipe.test +++ b/tests/winPipe.test @@ -308,10 +308,35 @@ test winpipe-6.2 {PipeSetupProc & PipeCheckProc: write threads} \ lappend x [catch {close $f} msg] $msg } {writable timeout 0 {}} -set path(echoArgs.tcl) [makeFile { - puts "[list $argv0 $argv]" -} echoArgs.tcl] - +proc _testExecArgs {single args} { + variable path + set path(echoArgs.tcl) [makeFile { + puts "[list [file tail $argv0] {*}$argv]" + } echoArgs.tcl] + set path(echoArgs.bat) [makeFile "@[file native [interpreter]] $path(echoArgs.tcl) %*" echoArgs.bat] + set broken {} + foreach args $args { + if {$single} { + set args [list $args] + } + foreach cmd [list \ + [list [interpreter] $path(echoArgs.tcl)] \ + [list $path(echoArgs.bat)] \ + ] { + set e [list [file tail $path(echoArgs.tcl)] {*}$args] + tcltest::DebugPuts 4 " ## test exec [file extension [lindex $cmd 0]] for $e" + if {[catch { + exec {*}$cmd {*}$args + } r]} { + set r "ERROR: $r" + } + if {$r ne $e} { + append broken "\[ERROR\]: exec [file extension [lindex $cmd 0]] on $args\n -- result:\n$r\n -- expected:\n$e\n" + } + } + } + return $broken +} ### validate the raw output of BuildCommandLine(). ### @@ -370,65 +395,87 @@ test winpipe-7.18 {BuildCommandLine: special chars #5} {win exec} { exec $env(COMSPEC) /c echo foo \} bar } "foo \} bar" +set injectList { + {test"whoami} {test""whoami} + {test"""whoami} {test""""whoami} + + "test\"whoami\\" "test\"\"whoami\\" + "test\"\"\"whoami\\" "test\"\"\"\"whoami\\" + + {test\"&whoami} {test"\"&whoami} + {test""\"&whoami} {test"""\"&whoami} + + {test&whoami} {test|whoami} + {"test&whoami} {"test|whoami} + {test"&whoami} {test"|whoami} + {"test"&whoami} {"test"|whoami} + {""test"&whoami} {""test"|whoami} + + {test&echo "} {test|echo "} + {"test&echo "} {"test|echo "} + {test"&echo "} {test"|echo "} + {"test"&echo "} {"test"|echo "} + {""test"&echo "} {""test"|echo "} + + {test&echo ""} {test|echo ""} + {"test&echo ""} {"test|echo ""} + {test"&echo ""} {test"|echo ""} + {"test"&echo ""} {"test"|echo ""} + {""test"&echo ""} {""test"|echo ""} + + {test>whoami} {testwhoami} {"testwhoami} {test"whoami} {"test"whoami} {""test" start) { Tcl_DStringAppend(&ds, start, (int) (special - start)); } + /* escape using backslash */ Tcl_DStringAppend(&ds, "\\\\", 2); start = ++special; continue; } + /* ["] */ if (*special == '"') { - quote ^= 2; /* observe unpaired quotes */ + quote ^= 2; /* invert unpaired flag - observe unpaired quotes */ if (special > start) { Tcl_DStringAppend(&ds, start, (int) (special - start)); } + /* escape using backslash */ Tcl_DStringAppend(&ds, "\\\"", 2); start = ++special; continue; @@ -1606,7 +1615,7 @@ BuildCommandLine( if (special > start) { Tcl_DStringAppend(&ds, start, (int) (special - start)); } - /* unpaired - escape all special chars inside quotes "..." */ + /* unpaired - escape all special chars inside quotes like `"..."` */ Tcl_DStringAppend(&ds, "\"", 1); start = special; do { @@ -1619,9 +1628,11 @@ BuildCommandLine( } special++; } + /* rest of argument (don't contain special chars) */ if (special > start) { Tcl_DStringAppend(&ds, start, (int) (special - start)); } + /* end of argument (closed quote-char) */ Tcl_DStringAppend(&ds, "\"", 1); } } -- cgit v0.12 From 01dd016ad89794ac85bfc2a7ccbedbb6d4c7f14f Mon Sep 17 00:00:00 2001 From: sebres Date: Mon, 20 Aug 2018 19:58:44 +0000 Subject: because executable (1st argument) always proper escaped now, don't need to replace long path name of batch-executable with short path name (reduced to 16-bit applications only). --- tests/winPipe.test | 44 +++++++++++++++++++++++++++++++++----------- win/tclWinPipe.c | 2 +- 2 files changed, 34 insertions(+), 12 deletions(-) diff --git a/tests/winPipe.test b/tests/winPipe.test index eb0a854..e817e85 100644 --- a/tests/winPipe.test +++ b/tests/winPipe.test @@ -310,21 +310,33 @@ test winpipe-6.2 {PipeSetupProc & PipeCheckProc: write threads} \ proc _testExecArgs {single args} { variable path - set path(echoArgs.tcl) [makeFile { - puts "[list [file tail $argv0] {*}$argv]" - } echoArgs.tcl] - set path(echoArgs.bat) [makeFile "@[file native [interpreter]] $path(echoArgs.tcl) %*" echoArgs.bat] + if {![info exists path(echoArgs.tcl)] || ![file exists $path(echoArgs.tcl)]} { + set path(echoArgs.tcl) [makeFile { + puts "[list [file tail $argv0] {*}$argv]" + } echoArgs.tcl] + } + if {![info exists path(echoArgs.bat)] || ![file exists $path(echoArgs.bat)]} { + set path(echoArgs.bat) [makeFile "@[file native [interpreter]] $path(echoArgs.tcl) %*" "echoArgs.bat"] + } + set cmds [list [list [interpreter] $path(echoArgs.tcl)]] + if {!($single & 2)} { + lappend cmds [list $path(echoArgs.bat)] + } else { + if {![info exists path(echoArgs2.bat)] || ![file exists $path(echoArgs2.bat)]} { + file mkdir [file join [temporaryDirectory] test(Dir)Check] + set path(echoArgs2.bat) [makeFile "@[file native [interpreter]] $path(echoArgs.tcl) %*" \ + "test(Dir)Check/echo(Cmd)Test Args & Batch.bat"] + } + lappend cmds [list $path(echoArgs2.bat)] + } set broken {} foreach args $args { - if {$single} { + if {$single & 1} { set args [list $args] } - foreach cmd [list \ - [list [interpreter] $path(echoArgs.tcl)] \ - [list $path(echoArgs.bat)] \ - ] { + foreach cmd $cmds { set e [list [file tail $path(echoArgs.tcl)] {*}$args] - tcltest::DebugPuts 4 " ## test exec [file extension [lindex $cmd 0]] for $e" + tcltest::DebugPuts 4 " ## test exec [file extension [lindex $cmd 0]] ($cmd) for\n ## $args" if {[catch { exec {*}$cmd {*}$args } r]} { @@ -475,6 +487,15 @@ test winpipe-8.3 {BuildCommandLine/parse_cmdline pass-thru: check injection on s [list "START\"" {*}$injectList "\"END"] } -result {} +test winpipe-8.4 {BuildCommandLine/parse_cmdline pass-thru: check injection on special meta-chars (command/jointly args)} \ +-constraints {win exec} -body { + _testExecArgs 2 \ + [list START {*}$injectList END] \ + [list "START\"" {*}$injectList END] \ + [list START {*}$injectList "\"END"] \ + [list "START\"" {*}$injectList "\"END"] +} -result {} + rename _testExecArgs {} # restore old values for env(TMP) and env(TEMP) @@ -487,6 +508,7 @@ if {[catch {set env(TEMP) $env_temp}]} { } # cleanup -file delete big little stdout stderr nothing echoArgs.tcl +file delete big little stdout stderr nothing echoArgs.tcl echoArgs.bat +file delete -force [file join [temporaryDirectory] test(Dir)Check] ::tcltest::cleanupTests return diff --git a/win/tclWinPipe.c b/win/tclWinPipe.c index cdbf467..a6a8f22 100644 --- a/win/tclWinPipe.c +++ b/win/tclWinPipe.c @@ -1492,7 +1492,7 @@ ApplicationType( return APPL_NONE; } - if ((applType == APPL_DOS) || (applType == APPL_WIN3X)) { + if (applType == APPL_WIN3X) { /* * Replace long path name of executable with short path name for * 16-bit applications. Otherwise the application may not be able to -- cgit v0.12 From fb0bf9d1b9dbcac3d58bef9c86b6353eaf3d0c1e Mon Sep 17 00:00:00 2001 From: sebres Date: Tue, 21 Aug 2018 18:52:21 +0000 Subject: fixes escape for special cases (+ more test-cases): - `%` char to be escaped (quoted) in any case (regardless pairing flag), otherwise `%username%` will be interpolated as username. - escape of multiple backslashes before quote is different (as without following quote) in unpaired quote syntax (upaired flag set) --- tests/winPipe.test | 30 ++++++++++- win/tclWinPipe.c | 142 +++++++++++++++++++++++++++++++++++++++++------------ 2 files changed, 139 insertions(+), 33 deletions(-) diff --git a/tests/winPipe.test b/tests/winPipe.test index e817e85..c375d8f 100644 --- a/tests/winPipe.test +++ b/tests/winPipe.test @@ -332,7 +332,9 @@ proc _testExecArgs {single args} { set broken {} foreach args $args { if {$single & 1} { - set args [list $args] + # enclose single test-arg between 1st/3rd to be sure nothing is truncated + # (e. g. to cover unexpected trim by nts-zero case, and args don't recombined): + set args [list "1st" $args "3rd"] } foreach cmd $cmds { set e [list [file tail $path(echoArgs.tcl)] {*}$args] @@ -414,8 +416,15 @@ set injectList { "test\"whoami\\" "test\"\"whoami\\" "test\"\"\"whoami\\" "test\"\"\"\"whoami\\" + {test\\&\\test} {test"\\&\\test} + {"test\\&\\test} {"test"\\&\\"test"} + {test\\"&"\\test} {test"\\"&"\\test} + {"test\\"&"\\test} {"test"\\"&"\\"test"} + {test\"&whoami} {test"\"&whoami} {test""\"&whoami} {test"""\"&whoami} + {test\"\&whoami} {test"\"\&whoami} + {test""\"\&whoami} {test"""\"\&whoami} {test&whoami} {test|whoami} {"test&whoami} {"test|whoami} @@ -445,6 +454,25 @@ set injectList { {test^whoami} {test^^echo ^^^} {test"^whoami} {test"^^echo ^^^} {test"^echo ^^^"} {test""^echo" ^^^"} + + {test%USERDOMAIN%\%USERNAME%} + {test" %USERDOMAIN%\%USERNAME%} + {test%USERDOMAIN%\\%USERNAME%} + {test" %USERDOMAIN%\\%USERNAME%} + {test%USERDOMAIN%&%USERNAME%} + {test" %USERDOMAIN%&%USERNAME%} + {test%USERDOMAIN%\&\%USERNAME%} + {test" %USERDOMAIN%\&\%USERNAME%} + + {test%USERDOMAIN%\&\test} + {test" %USERDOMAIN%\&\test} + {test%USERDOMAIN%\\&\\test} + {test" %USERDOMAIN%\\&\\test} + + {test%USERDOMAIN%\&\"test} + {test" %USERDOMAIN%\&\"test} + {test%USERDOMAIN%\\&\\"test} + {test" %USERDOMAIN%\\&\\"test} } ### validate the pass-thru from BuildCommandLine() to the crt's parse_cmdline(). diff --git a/win/tclWinPipe.c b/win/tclWinPipe.c index a6a8f22..728e43a 100644 --- a/win/tclWinPipe.c +++ b/win/tclWinPipe.c @@ -1527,6 +1527,86 @@ ApplicationType( *---------------------------------------------------------------------- */ +static const char * +BuildCmdLineBypassBS( + const char *current, + const char **bspos +) { + /* mark first backslash possition */ + if (!*bspos) { + *bspos = current; + } + do { + current++; + } while (*current == '\\'); + return current; +} + +static void +QuoteCmdLineBackslash( + Tcl_DString *dsPtr, + const char *start, + const char *current, + const char *bspos +) { + if (!bspos) { + if (current > start) { /* part before current (special) */ + Tcl_DStringAppend(dsPtr, start, (int) (current - start)); + } + } else { + if (bspos > start) { /* part before first backslash */ + Tcl_DStringAppend(dsPtr, start, (int) (bspos - start)); + } + while (bspos++ < current) { /* each backslash twice */ + Tcl_DStringAppend(dsPtr, "\\\\", 2); + } + } +} + +static const char * +QuoteCmdLinePart( + Tcl_DString *dsPtr, + const char *start, + const char *special, + const char *specMetaChars, + const char **bspos +) { + if (!*bspos) { + /* rest before special (before quote) */ + QuoteCmdLineBackslash(dsPtr, start, special, NULL); + start = special; + } else { + /* rest before first backslash and backslashes into new quoted block */ + QuoteCmdLineBackslash(dsPtr, start, *bspos, NULL); + start = *bspos; + } + /* + * escape all special chars enclosed in quotes like `"..."`, note that here we + * don't must escape `\` (with `\`), because it's outside of the main quotes, + * so `\` remains `\`, but important - not at end of part, because results as + * before the quote, so `%\%\` should be escaped as `"%\%"\\`). + */ + Tcl_DStringAppend(dsPtr, "\"", 1); /* opening escape quote-char */ + do { + *bspos = NULL; + special++; + if (*special == '\\') { + /* bypass backslashes (and mark first backslash possition)*/ + special = BuildCmdLineBypassBS(special, bspos); + if (*special == '\0') break; + } + } while (*special && strchr(specMetaChars, *special)); + if (!*bspos) { + /* unescaped rest before quote */ + QuoteCmdLineBackslash(dsPtr, start, special, NULL); + } else { + /* unescaped rest before first backslash (rather belongs to the main block) */ + QuoteCmdLineBackslash(dsPtr, start, *bspos, NULL); + } + Tcl_DStringAppend(dsPtr, "\"", 1); /* closing escape quote-char */ + return special; +} + static void BuildCommandLine( const char *executable, /* Full path of executable (including @@ -1536,11 +1616,14 @@ BuildCommandLine( Tcl_DString *linePtr) /* Initialized Tcl_DString that receives the * command line (TCHAR). */ { - const char *arg, *start, *special; + const char *arg, *start, *special, *bspos; int quote = 0, i; Tcl_DString ds; - const static char *specMetaChars = "&|^<>!%()"; + /* characters to enclose in quotes if unpaired quote flag set */ + const static char *specMetaChars = "&|^<>!()%"; + /* characters to enclose in quotes in any case (regardless unpaired-flag) */ + const static char *specMetaChars2 = "%"; Tcl_DStringInit(&ds); @@ -1566,6 +1649,7 @@ BuildCommandLine( * 2 - previous arguments chain contains unpaired quote-char; */ quote &= ~1; /* reset escape flag */ + bspos = NULL; if (arg[0] == '\0') { quote = 1; } else { @@ -1585,26 +1669,22 @@ BuildCommandLine( /* nothing to escape */ Tcl_DStringAppend(&ds, arg, -1); } else { - /* start of argument (open quote-char) */ + /* start of argument (main opening quote-char) */ Tcl_DStringAppend(&ds, "\"", 1); start = arg; for (special = arg; *special != '\0'; ) { - /* `\\` or `\"` or `\` at end (so equal `\"` because quoted) */ - if (*special == '\\' && (special[1] == '\\' || special[1] == '"' || special[1] == '\0')) { - if (special > start) { - Tcl_DStringAppend(&ds, start, (int) (special - start)); - } - /* escape using backslash */ - Tcl_DStringAppend(&ds, "\\\\", 2); - start = ++special; - continue; + /* position of `\` is important before quote or at end (equal `\"` because quoted) */ + if (*special == '\\') { + /* bypass backslashes (and mark first backslash possition)*/ + special = BuildCmdLineBypassBS(special, &bspos); + if (*special == '\0') break; } /* ["] */ if (*special == '"') { quote ^= 2; /* invert unpaired flag - observe unpaired quotes */ - if (special > start) { - Tcl_DStringAppend(&ds, start, (int) (special - start)); - } + /* add part before (and escape backslashes before quote) */ + QuoteCmdLineBackslash(&ds, start, special, bspos); + bspos = NULL; /* escape using backslash */ Tcl_DStringAppend(&ds, "\\\"", 2); start = ++special; @@ -1612,27 +1692,25 @@ BuildCommandLine( } /* unpaired (escaped) quote causes special handling on meta-chars */ if ((quote & 2) && strchr(specMetaChars, *special)) { - if (special > start) { - Tcl_DStringAppend(&ds, start, (int) (special - start)); - } - /* unpaired - escape all special chars inside quotes like `"..."` */ - Tcl_DStringAppend(&ds, "\"", 1); - start = special; - do { - special++; - } while(*special && strchr(specMetaChars, *special)); - Tcl_DStringAppend(&ds, start, (int) (special - start)); - Tcl_DStringAppend(&ds, "\"", 1); - start = special; + special = QuoteCmdLinePart(&ds, start, special, specMetaChars, &bspos); + /* start to current or first backslash */ + start = !bspos ? special : bspos; continue; } + /* special case for % - should be enclosed always (paired also) */ + if (strchr(specMetaChars2, *special)) { + special = QuoteCmdLinePart(&ds, start, special, specMetaChars2, &bspos); + /* start to current or first backslash */ + start = !bspos ? special : bspos; + continue; + } + /* other not special (and not meta) character */ + bspos = NULL; /* reset last backslash possition (not interesting) */ special++; } - /* rest of argument (don't contain special chars) */ - if (special > start) { - Tcl_DStringAppend(&ds, start, (int) (special - start)); - } - /* end of argument (closed quote-char) */ + /* rest of argument (and escape backslashes before closing main quote) */ + QuoteCmdLineBackslash(&ds, start, special, bspos); + /* end of argument (main closing quote-char) */ Tcl_DStringAppend(&ds, "\"", 1); } } -- cgit v0.12 From c2d61d8dbcee801a9eef8c388816573f3da4a92a Mon Sep 17 00:00:00 2001 From: sebres Date: Thu, 23 Aug 2018 08:00:32 +0000 Subject: code review, restored backwards compatibility of the simplest escape of quote-chars (so reverted several tests winpipe-7.x) --- tests/winPipe.test | 8 ++++---- win/tclWinPipe.c | 37 +++++++++++++++++++++++++------------ 2 files changed, 29 insertions(+), 16 deletions(-) diff --git a/tests/winPipe.test b/tests/winPipe.test index c375d8f..5c6eac8 100644 --- a/tests/winPipe.test +++ b/tests/winPipe.test @@ -362,22 +362,22 @@ test winpipe-7.2 {BuildCommandLine: null arguments} {win exec} { } {foo "" bar} test winpipe-7.3 {BuildCommandLine: dbl quote quoting #1} {win exec} { exec $env(COMSPEC) /c echo foo "\"" bar -} {foo "\"" bar} +} {foo \" bar} test winpipe-7.4 {BuildCommandLine: dbl quote quoting #2} {win exec} { exec $env(COMSPEC) /c echo foo {""} bar -} {foo "\"\"" bar} +} {foo \"\" bar} test winpipe-7.5 {BuildCommandLine: dbl quote quoting #3} {win exec} { exec $env(COMSPEC) /c echo foo "\" " bar } {foo "\" " bar} test winpipe-7.6 {BuildCommandLine: dbl quote quoting #4} {win exec} { exec $env(COMSPEC) /c echo foo {a="b"} bar -} {foo "a=\"b\"" bar} +} {foo a=\"b\" bar} test winpipe-7.7 {BuildCommandLine: dbl quote quoting #5} {win exec} { exec $env(COMSPEC) /c echo foo {a = "b"} bar } {foo "a = \"b\"" bar} test winpipe-7.8 {BuildCommandLine: dbl quote quoting #6} {win exec} { exec $env(COMSPEC) /c echo {"hello"} {""hello""} {"""hello"""} {"\"hello\""} {he llo} "he \" llo" -} {"\"hello\"" "\"\"hello\"\"" "\"\"\"hello\"\"\"" "\"\\\"hello\\\"\"" "he llo" "he \" llo"} +} {\"hello\" \"\"hello\"\" \"\"\"hello\"\"\" \"\\\"hello\\\"\" "he llo" "he \" llo"} test winpipe-7.9 {BuildCommandLine: N backslashes followed a quote rule #1} {win exec} { exec $env(COMSPEC) /c echo foo \\ bar } {foo \ bar} diff --git a/win/tclWinPipe.c b/win/tclWinPipe.c index 728e43a..21bdcec 100644 --- a/win/tclWinPipe.c +++ b/win/tclWinPipe.c @@ -1647,21 +1647,27 @@ BuildCommandLine( /* Quote flags: * 1 - escape argument; * 2 - previous arguments chain contains unpaired quote-char; + * 4 - enclose in quotes; */ - quote &= ~1; /* reset escape flag */ + quote &= ~5; /* reset escape flags */ bspos = NULL; if (arg[0] == '\0') { - quote = 1; + quote = 5; } else { int count; Tcl_UniChar ch; for (start = arg; *start != '\0'; start += count) { count = Tcl_UtfToUniChar(start, &ch); - if (Tcl_UniCharIsSpace(ch) || - (count == 1 && (*start=='"' || strchr(specMetaChars, *start))) - ) { - quote |= 1; /* set escape flag - must be quoted */ - break; + if (count == 1) { + if (Tcl_UniCharIsSpace(ch) || + strchr(specMetaChars, *start) + ) { + quote |= 5; /* set escape flag & must be quoted */ + break; + } + if (*start == '"') { + quote |= 1; /* set escape flag */ + } } } } @@ -1670,7 +1676,9 @@ BuildCommandLine( Tcl_DStringAppend(&ds, arg, -1); } else { /* start of argument (main opening quote-char) */ - Tcl_DStringAppend(&ds, "\"", 1); + if (quote & 4) { + Tcl_DStringAppend(&ds, "\"", 1); + } start = arg; for (special = arg; *special != '\0'; ) { /* position of `\` is important before quote or at end (equal `\"` because quoted) */ @@ -1708,10 +1716,15 @@ BuildCommandLine( bspos = NULL; /* reset last backslash possition (not interesting) */ special++; } - /* rest of argument (and escape backslashes before closing main quote) */ - QuoteCmdLineBackslash(&ds, start, special, bspos); - /* end of argument (main closing quote-char) */ - Tcl_DStringAppend(&ds, "\"", 1); + if (quote & 4) { + /* rest of argument (and escape backslashes before closing main quote) */ + QuoteCmdLineBackslash(&ds, start, special, bspos); + /* end of argument (main closing quote-char) */ + Tcl_DStringAppend(&ds, "\"", 1); + } else { + /* rest of argument */ + QuoteCmdLineBackslash(&ds, start, special, NULL); + } } } Tcl_DStringFree(linePtr); -- cgit v0.12 From 820a737a2f302b54ee7af88484cbfd694ec65804 Mon Sep 17 00:00:00 2001 From: sebres Date: Thu, 23 Aug 2018 10:26:03 +0000 Subject: code review, skip slow test winpipe-8.2 executed args from injectList particularly (normally winpipe-8.3 covers the same but jointly), to enable use parameter `-constraints slowTest`, added new test with randomly generated potentially dangerous args --- library/tcltest/tcltest.tcl | 4 +++ tests/winPipe.test | 35 ++++++++++++++++++-- win/tclWinPipe.c | 81 ++++++++++++++++++++++++++++----------------- 3 files changed, 87 insertions(+), 33 deletions(-) diff --git a/library/tcltest/tcltest.tcl b/library/tcltest/tcltest.tcl index 8e43859..936acaa 100644 --- a/library/tcltest/tcltest.tcl +++ b/library/tcltest/tcltest.tcl @@ -1243,6 +1243,10 @@ proc tcltest::DefineConstraintInitializers {} { ConstraintInitializer interactive \ {expr {[info exists ::tcl_interactive] && $::tcl_interactive}} + # Skip slow tests (to enable slow tests add parameter `-constraints slowTest`) + + ConstraintInitializer slowTest {format 0} + # Some tests can only be run if the installation came from a CD # image instead of a web image. Some tests must be skipped if you # are running as root on Unix. Other tests can only be run if you diff --git a/tests/winPipe.test b/tests/winPipe.test index 5c6eac8..4385690 100644 --- a/tests/winPipe.test +++ b/tests/winPipe.test @@ -336,8 +336,9 @@ proc _testExecArgs {single args} { # (e. g. to cover unexpected trim by nts-zero case, and args don't recombined): set args [list "1st" $args "3rd"] } + set args [list {*}$args]; # normalized canonical list foreach cmd $cmds { - set e [list [file tail $path(echoArgs.tcl)] {*}$args] + set e [linsert $args 0 [file tail $path(echoArgs.tcl)]] tcltest::DebugPuts 4 " ## test exec [file extension [lindex $cmd 0]] ($cmd) for\n ## $args" if {[catch { exec {*}$cmd {*}$args @@ -502,7 +503,7 @@ test winpipe-8.1 {BuildCommandLine/parse_cmdline pass-thru: dumped arguments are } -result {} test winpipe-8.2 {BuildCommandLine/parse_cmdline pass-thru: check injection on special meta-chars (particular)} \ --constraints {win exec} -body { +-constraints {win exec slowTest} -body { _testExecArgs 1 {*}$injectList } -result {} @@ -524,6 +525,36 @@ test winpipe-8.4 {BuildCommandLine/parse_cmdline pass-thru: check injection on s [list "START\"" {*}$injectList "\"END"] } -result {} +test winpipe-8.5 {BuildCommandLine/parse_cmdline pass-thru: check injection on special meta-chars (random mix)} \ +-constraints {win exec} -body { + set lst {} + set maps { + {\&|^<>!()%} + {\&|^<>!()% } + {"\&|^<>!()%} + {"\&|^<>!()% } + {"""""\\\\\&|^<>!()%} + {"""""\\\\\&|^<>!()% } + } + set i 0 + time { + set args {[incr i].} + time { + set map [lindex $maps [expr {int(rand()*[llength $maps])}]] + # be sure arg has some prefix (avoid special handling, like |& etc) + set a {x} + while {[string length $a] < 50} { + append a [string index $map [expr {int(rand()*[string length $map])}]] + } + lappend args $a + } 20 + lappend lst $args + } 10 + _testExecArgs 0 {*}$lst +} -result {} -cleanup { + unset -nocomplain lst args a map maps +} + rename _testExecArgs {} # restore old values for env(TMP) and env(TEMP) diff --git a/win/tclWinPipe.c b/win/tclWinPipe.c index 21bdcec..e596cac 100644 --- a/win/tclWinPipe.c +++ b/win/tclWinPipe.c @@ -1625,6 +1625,13 @@ BuildCommandLine( /* characters to enclose in quotes in any case (regardless unpaired-flag) */ const static char *specMetaChars2 = "%"; + /* Quote flags: + * CL_ESCAPE - escape argument; + * CL_QUOTE - enclose in quotes; + * CL_UNPAIRED - previous arguments chain contains unpaired quote-char; + */ + enum {CL_ESCAPE = 1, CL_QUOTE = 2, CL_UNPAIRED = 4}; + Tcl_DStringInit(&ds); /* @@ -1644,41 +1651,55 @@ BuildCommandLine( Tcl_DStringAppend(&ds, " ", 1); } - /* Quote flags: - * 1 - escape argument; - * 2 - previous arguments chain contains unpaired quote-char; - * 4 - enclose in quotes; - */ - quote &= ~5; /* reset escape flags */ + quote &= ~(CL_ESCAPE|CL_QUOTE); /* reset escape flags */ bspos = NULL; if (arg[0] == '\0') { - quote = 5; + quote = CL_QUOTE; } else { int count; Tcl_UniChar ch; - for (start = arg; *start != '\0'; start += count) { + for (start = arg; + *start != '\0' && + (quote & (CL_ESCAPE|CL_QUOTE)) != (CL_ESCAPE|CL_QUOTE); + start += count + ) { count = Tcl_UtfToUniChar(start, &ch); - if (count == 1) { - if (Tcl_UniCharIsSpace(ch) || - strchr(specMetaChars, *start) - ) { - quote |= 5; /* set escape flag & must be quoted */ + if (count > 1) continue; + if (Tcl_UniCharIsSpace(ch)) { + quote |= CL_QUOTE; /* quote only */ + if (bspos) { /* if backslash found - escape & quote */ + quote |= CL_ESCAPE; break; } - if (*start == '"') { - quote |= 1; /* set escape flag */ + continue; + } + if (strchr(specMetaChars, *start)) { + quote |= (CL_ESCAPE|CL_QUOTE); /*escape & quote */ + break; + } + if (*start == '"') { + quote |= CL_ESCAPE; /* escape only */ + continue; + } + if (*start == '\\') { + bspos = start; + if (quote & CL_QUOTE) { /* if quote - escape & quote */ + quote |= CL_ESCAPE; + break; } + continue; } } + bspos = NULL; } - if (!(quote & 1)) { + if (quote & CL_QUOTE) { + /* start of argument (main opening quote-char) */ + Tcl_DStringAppend(&ds, "\"", 1); + } + if (!(quote & CL_ESCAPE)) { /* nothing to escape */ Tcl_DStringAppend(&ds, arg, -1); } else { - /* start of argument (main opening quote-char) */ - if (quote & 4) { - Tcl_DStringAppend(&ds, "\"", 1); - } start = arg; for (special = arg; *special != '\0'; ) { /* position of `\` is important before quote or at end (equal `\"` because quoted) */ @@ -1689,7 +1710,7 @@ BuildCommandLine( } /* ["] */ if (*special == '"') { - quote ^= 2; /* invert unpaired flag - observe unpaired quotes */ + quote ^= CL_UNPAIRED; /* invert unpaired flag - observe unpaired quotes */ /* add part before (and escape backslashes before quote) */ QuoteCmdLineBackslash(&ds, start, special, bspos); bspos = NULL; @@ -1699,7 +1720,7 @@ BuildCommandLine( continue; } /* unpaired (escaped) quote causes special handling on meta-chars */ - if ((quote & 2) && strchr(specMetaChars, *special)) { + if ((quote & CL_UNPAIRED) && strchr(specMetaChars, *special)) { special = QuoteCmdLinePart(&ds, start, special, specMetaChars, &bspos); /* start to current or first backslash */ start = !bspos ? special : bspos; @@ -1716,15 +1737,13 @@ BuildCommandLine( bspos = NULL; /* reset last backslash possition (not interesting) */ special++; } - if (quote & 4) { - /* rest of argument (and escape backslashes before closing main quote) */ - QuoteCmdLineBackslash(&ds, start, special, bspos); - /* end of argument (main closing quote-char) */ - Tcl_DStringAppend(&ds, "\"", 1); - } else { - /* rest of argument */ - QuoteCmdLineBackslash(&ds, start, special, NULL); - } + /* rest of argument (and escape backslashes before closing main quote) */ + QuoteCmdLineBackslash(&ds, start, special, + (quote & CL_QUOTE) ? bspos : NULL); + } + if (quote & CL_QUOTE) { + /* end of argument (main closing quote-char) */ + Tcl_DStringAppend(&ds, "\"", 1); } } Tcl_DStringFree(linePtr); -- cgit v0.12