On Mon, Aug 22, 2016 at 3:40 PM, Chris Angelico <ros...@gmail.com> wrote: > Windows has some other issues, including that arbitrary files can > become executable very easily (eg if %PATHEXT% includes its file > extension),
cmd uses PATHEXT to augment its search by appending each extension in the list, in addition to searching for the exact filename. cmd will always attempt to run any match, regardless of the extension. You must be thinking of PowerShell, which for some reason reinterprets how this environment variable has worked since probably OS/2 in the late 80s. PowerShell only executes files found in PATH that have an extension that's listed in PATHEXT. CreateProcess checks the user's execute access in the file security, which can prevent the execution of .BAT/.CMD files and PE executables, regardless of extension. But ShellExecute(Ex) has an MS-DOS brain (so much of the entire Explorer/shell32 implementation has an MS-DOS brain; it's like they think they're still supporting Windows 9x), so scripts and data files are always 'executable'. You get some help here from cmd, which always tries CreateProcess, regardless of extension, and won't continue to ShellExecuteEx if CreateProcess failed because access was denied. PowerShell... not so much. > and since the current directory is always at the beginning > of your path, this can easily turn into a remote code execution > exploit. Since Vista, both CreateProcess and cmd.exe support the environment variable NoDefaultCurrentDirectoryInExePath. If this is set, you have to explicitly reference the current directory. PowerShell always required this. -- https://mail.python.org/mailman/listinfo/python-list