Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

More Windows subprocess mitigations #313

Merged
merged 2 commits into from
Sep 6, 2024
Merged

Conversation

bgamari
Copy link
Contributor

@bgamari bgamari commented Apr 10, 2024

Add documentation and implement the escaping logic for % noted in https://flatt.tech/research/posts/batbadbut-you-cant-securely-execute-commands-on-windows/.

Another aspect of the BatBadBut vulnerability that the previous patch
did not address is the fact that `%` cannot be easily escaped in a
double-quoted string. The vulnerability discussion suggests
transliterating `%` as `%%cd:~,%`, which should evaluate to an empty
string assuming that the `DelayedExpansion` registry setting is
disabled.

Here I have implemented this additional mitigation.
System/Process.hs Outdated Show resolved Hide resolved
@bgamari bgamari merged commit 142a7eb into haskell:master Sep 6, 2024
41 checks passed
@bgamari bgamari deleted the wip/windows-2 branch September 6, 2024 01:42
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants