530b866c8e
fhandler_console::create_invisible_console_workaround() does not use the lpApplicationName parameter and neglects to quote its command name on lpCommandLine in the call to CreateProcessW. Given CreateProcessW's brain-dead method to evaluate the application path given on the command line, this opens up a security problem if Cygwin is installed into a path with spaces in it. Fix this by using the lpApplicationName parameter and quoting of the application path in the lpCommandLine parameter (used as argv[0] in the called console helper. For extended paranoia, make the argument string array big enough to fit full 64 bit pointer values into it. Handles usually only use the lower 32 bit, but better safe than sorry. Signed-off-by: Corinna Vinschen <corinna@vinschen.de> |
||
---|---|---|
.. | ||
CVSChangeLogs.old | ||
cygserver | ||
cygwin | ||
doc | ||
lsaauth | ||
testsuite | ||
utils | ||
acinclude.m4 | ||
aclocal.m4 | ||
autogen.sh | ||
c++wrap | ||
ccwrap | ||
config.guess | ||
config.sub | ||
configure | ||
configure.ac | ||
configure.cygwin | ||
CONTRIBUTORS | ||
COPYING | ||
COPYING.LIB | ||
CYGWIN_LICENSE | ||
install-sh | ||
Makefile.common | ||
Makefile.in | ||
README |
THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. Cygwin documentation is available on the net at https://cygwin.com You might especially be interested in https://cygwin.com/faq/faq.html#faq.programming.building-cygwin