You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
On Windows, cmd.exe has different quoting for arguments than CreateProcess() and according to a Microsoft's blog[^1] there's no one-size-fits all solution.
While run() will quote stuff just fine for non-cmd.exe programs, `perl6` executable on Windows is a batch file, which makes `run 'perl6', ...` go through
cmd.exe and its quoting, and it's possible to intro security issues:
run $*EXECUTABLE, '-e', '"&whoami'; # executes `whoami` on the shell, as can be seen by output at the end
The same problem exists with Perl's system:
system 'perl6', ('-e', '"" &whoami'); # executes `whoami` on the shell
So I'd assume the problem can't be solved entirely behind the scenes, precisely because there's no one-size-fits all solution.
However, even in Rakudo's own test suite there are `run`s that run $*EXECUTABLE, feeding it improperly quoted arguments.
It's not very obvious that `perl6` is a batch file and that it'd need special quoting.
So I think we need to:
1) Find a way to un-batch it. Make `perl6` a proper executable
2) Maybe add `:win-cmd-quoting` arg to `run` that will properly quote args for use with cmd.exe when we're running on Windows, so at least there's
an easy options for users to use, if they so require
P.S.: actually `run 'perl6', '-e', '"&whoami';` doesn't seem to execute `whoami` on the shell (judging by output at least), whoever `run $*EXECUTABLE` or `run 'perl6.bat'` do
Worse still; there doesn't seem to be a way to make `run` work with `cmd.exe` commands at all. Even if you escape the args yourself properly, they seem to get butchered by libuv's quoting. There's a UV_PROCESS_WINDOWS_VERBATIM_ARGUMENTS that'd avoid quoting, though currently we have it off (so non-cmd.exe args get processed right)
Migrated from rt.perl.org#132258 (status was 'new')
Searchable as RT132258$
The text was updated successfully, but these errors were encountered: