# New Ticket Created by Zoffix Znet
# Please include the string: [perl #132258]
# in the subject line of all future correspondence about this issue.
# <URL: https://rt.perl.org/Ticket/Display.html?id=132258 >
On Windows, cmd.exe has different quoting for arguments than CreateProcess()
and according to a Microsoft's blog[^1] there's no one-size-fits all solution.
While run() will quote stuff just fine for non-cmd.exe programs, `perl6`
executable on Windows is a batch file, which makes `run 'perl6', ...` go through
cmd.exe and its quoting, and it's possible to intro security issues:
run $*EXECUTABLE, '-e', '"&whoami'; # executes `whoami` on the shell, as
can be seen by output at the end
The same problem exists with Perl's system:
system 'perl6', ('-e', '"" &whoami'); # executes `whoami` on the shell
So I'd assume the problem can't be solved entirely behind the scenes, precisely
because there's no one-size-fits all solution.
However, even in Rakudo's own test suite there are `run`s that run
$*EXECUTABLE, feeding it improperly quoted arguments.
It's not very obvious that `perl6` is a batch file and that it'd need special
quoting.
So I think we need to:
1) Find a way to un-batch it. Make `perl6` a proper executable
2) Maybe add `:win-cmd-quoting` arg to `run` that will properly quote args for
use with cmd.exe when we're running on Windows, so at least there's
an easy options for users to use, if they so require
[1]
https://blogs.msdn.microsoft.com/twistylittlepassagesallalike/2011/04/23/everyone-quotes-command-line-arguments-the-wrong-way/
