Re: RFR: 8282008: Incorrect handling of quoted arguments in ProcessBuilder [v2]

Fri, 18 Feb 2022 08:36:26 -0800 

On Fri, 18 Feb 2022 16:07:29 GMT, Olga Mikhaltsova <omikhaltc...@openjdk.org> 
wrote:

>> This fix made equal processing of strings such as ""C:\\Program 
>> Files\\Git\\"" before and after JDK-8250568.
>> 
>> For example, it's needed to execute the following command on Windows:
>> `C:\Windows\SysWOW64\WScript.exe "MyVB.vbs" "C:\Program Files\Git" "Test"`
>> it's equal to:
>> `new ProcessBuilder("C:\\Windows\\SysWOW64\\WScript.exe", "MyVB.vbs", 
>> ""C:\\Program Files\\Git\\"", "Test").start();`
>> 
>> While processing, the 3rd argument ""C:\\Program Files\\Git\\"" treated as 
>> unquoted due to the condition added in JDK-8250568.
>> 
>>     private static String unQuote(String str) {
>>     .. 
>>        if (str.endsWith("\\"")) {
>>             return str;    // not properly quoted, treat as unquoted
>>         }
>>     ..
>>     }
>> 
>> 
>> that leads to the additional surrounding by quotes in 
>> ProcessImpl::createCommandLine(..) because needsEscaping(..) returns true 
>> due to the space inside the string argument.
>> As a result the native function CreateProcessW 
>> (src/java.base/windows/native/libjava/ProcessImpl_md.c) gets the incorrectly 
>> quoted argument: 
>> 
>> pcmd = C:\Windows\SysWOW64\WScript.exe MyVB.vbs ""C:\Program Files\Git"" Test
>> (jdk.lang.Process.allowAmbiguousCommands = true)
>> pcmd = "C:\Windows\SysWOW64\WScript.exe" MyVB.vbs ""C:\Program Files\Git\\"" 
>> Test
>> (jdk.lang.Process.allowAmbiguousCommands = false)
>> 
>> 
>> Obviously, a string ending with `"\\""` must not be started with `"""` to 
>> treat as unquoted overwise it’s should be treated as properly quoted.
>
> Olga Mikhaltsova has updated the pull request incrementally with one 
> additional commit since the last revision:
> 
>   Add test for JDK-8282008

@omikhaltsova Please take another look at the comment above.  The fix 
incorrectly allows a final double-quote to be escaped, resulting in unbalanced 
quotes and possibly allowing an argument to be joined with the next.
The recommendation is for the application to NOT add quotes to arguments and 
allow ProcessBuilder to do the necessary quoting.

-------------

PR: https://git.openjdk.java.net/jdk/pull/7504

Reply via email to