Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Prevent command-line injection for batch files with trailing char #324

Merged
merged 1 commit into from
Sep 6, 2024

Conversation

TristanCacqueray
Copy link
Contributor

This change ensure the regime implemented for HSEC-2024-0003 is applied to batch file names ending with trailing chars that are ignored by Windows.

This change ensure the regime implemented for HSEC-2024-0003 is
applied to batch file names ending with trailing chars that are
ignored by Windows.
@TristanCacqueray
Copy link
Contributor Author

Note that the recommended fix is to use GetFullPathNameW to get the real file name. Unfortunately I don't have a Windows system to implement this.

I believe the fix proposed here works, but perhaps it can produce false positive if a legitimate non batch script ends with .bat or something. Though I don't know if that's even possible since the trailing chars are also ignored when saving a file.

@bgamari
Copy link
Contributor

bgamari commented Sep 6, 2024

Thank you for handling this, @TristanCacqueray !

@bgamari bgamari merged commit 3381246 into haskell:master Sep 6, 2024
41 checks passed
@TristanCacqueray
Copy link
Contributor Author

You are welcome!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants