Skip Menu |
Report information
Id: 132258
Status: new
Priority: 0/
Queue: perl6

Owner: Nobody
Requestors: cpan [at] zoffix.com
Cc:
AdminCc:

Severity: (no value)
Tag: (no value)
Platform: (no value)
Patch Status: (no value)
VM: (no value)



Subject: [SECURITY][WIN32] `run "perl6" ...` can be made to execute shell commands
Download (untitled) / with headers
text/plain 1.3k
On Windows, cmd.exe has different quoting for arguments than CreateProcess() and according to a Microsoft's blog[^1] there's no one-size-fits all solution. While run() will quote stuff just fine for non-cmd.exe programs, `perl6` executable on Windows is a batch file, which makes `run 'perl6', ...` go through cmd.exe and its quoting, and it's possible to intro security issues: run $*EXECUTABLE, '-e', '"&whoami'; # executes `whoami` on the shell, as can be seen by output at the end The same problem exists with Perl's system: system 'perl6', ('-e', '"" &whoami'); # executes `whoami` on the shell So I'd assume the problem can't be solved entirely behind the scenes, precisely because there's no one-size-fits all solution. However, even in Rakudo's own test suite there are `run`s that run $*EXECUTABLE, feeding it improperly quoted arguments. It's not very obvious that `perl6` is a batch file and that it'd need special quoting. So I think we need to: 1) Find a way to un-batch it. Make `perl6` a proper executable 2) Maybe add `:win-cmd-quoting` arg to `run` that will properly quote args for use with cmd.exe when we're running on Windows, so at least there's an easy options for users to use, if they so require [1] https://blogs.msdn.microsoft.com/twistylittlepassagesallalike/2011/04/23/everyone-quotes-command-line-arguments-the-wrong-way/
Download (untitled) / with headers
text/plain 175b
P.S.: actually `run 'perl6', '-e', '"&whoami';` doesn't seem to execute `whoami` on the shell (judging by output at least), whoever `run $*EXECUTABLE` or `run 'perl6.bat'` do
RT-Send-CC: perl6-compiler [...] perl.org
Download (untitled) / with headers
text/plain 332b
Worse still; there doesn't seem to be a way to make `run` work with `cmd.exe` commands at all. Even if you escape the args yourself properly, they seem to get butchered by libuv's quoting. There's a UV_PROCESS_WINDOWS_VERBATIM_ARGUMENTS that'd avoid quoting, though currently we have it off (so non-cmd.exe args get processed right)


This service is sponsored and maintained by Best Practical Solutions and runs on Perl.org infrastructure.

For issues related to this RT instance (aka "perlbug"), please contact perlbug-admin at perl.org