I am truly shocked that seemingly, stuff like this needs to be said in the year of 2013. I'd have supposed that things like these should be known by *anyone* doing anything even remotely similar to software development *at least* since the end of the 8.3 filename era 15 years ago. Are you sure this is real and not a prank? o_O
regards Pascal Ernster On 31.08.2013 12:58, Stefan Kanthak wrote: > Hi, > > in <http://seclists.org/fulldisclosure/2013/Aug/75> I documented > beginners errors (unquoted pathnames containing spaces) not only > in Microsoft products. > > Microsofts developer documentation but shows these beginners errors > too (and is inconsistent, even in single topics). > > Examples: > > <http://msdn.microsoft.com/library/cc144171.aspx> > > | HKEY_CLASSES_ROOT > | txtile > ... > | Shell > ... > | cmd2 > ... > | command > | (Default) = C:\Program Files\Windows > NT\Accessories\wordpad.exe %1 > > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~ > > <http://msdn.microsoft.com/library/bb165967.aspx> > > | [HKEY_CLASSES_ROOT\Applications\VSLauncher.exe\Shell\Open\Command] > | @="C:\\Program Files\\Common Files\\Microsoft Shared\\MSEnv\\VSLauncher.exe > \"%1\"" > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ > | [HKEY_CLASSES_ROOT\VisualStudio.csproj.8.0\shell\Open\Command] > | @="\"C:\\Program Files\\Common Files\\Microsoft > Shared\\MSEnv\\VSLauncher.exe\" \"%1\"" > > > <http://msdn.microsoft.com/library/cc144083.aspx> > > | HKEY_LOCAL_MACHINE > | SOFTWARE > | Classes > | contoso-search > | shell > | open > | command > | (Default) = > "%ProgramFiles%\Contoso\Search\contososearch.exe %1" > > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~ > > <http://msdn.microsoft.com/library/cc144154.aspx> > > | HKEY_LOCAL_MACHINE > | SOFTWARE > | Classes > | LitwarePlayer11.AssocFile.... > ... > | shell > | open > | command > | (Default) = %ProgramFiles%\Litware\litware.exe > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ > > <http://msdn.microsoft.com/library/hh127450.aspx> > > | HKEY_CLASSES_ROOT > | CLSID > | {0052D9FC-6764-4D29-A66F-2F3BD9E2BB40} > | Shell > | Open > | Command > | (Default) = [REG_EXPAND_SZ] > %ProgramFiles%\MyCorp\MyApp.exe /Settings > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ > > > <http://msdn.microsoft.com/library/cc144188.aspx> > > | <sh:task id="{3B75A7AE-C4E4-4E5A-9420-7CECCDA75425}"> > | <!-- This is a generated GUID, specific to this task link --> > | <sh:name>@myTextResources.dll,-100</sh:name> > | <sh:keywords>@myTextResources.dll,-101</sh:keywords> > | <sh:command>%ProgramFiles%\Microsoft > Games\Solitaire\solitaire.exe</sh:command> > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ > | </sh:task> > > > Example with ambiguous/inconsistent use of quotes: > > <http://msdn.microsoft.com/en-us/library/aa767914.aspx> > > | HKEY_CLASSES_ROOT > | alert > | (Default) = "URL:Alert Protocol" > ^ ^ > | URL Protocol = "" > ^^ > | DefaultIcon > | (Default) = "alert.exe,1" > ^ ^ > | shell > | open > | command > | (Default) = "C:\Program Files\Alert\alert.exe" "%1" > > > Counterexamples: > > <http://msdn.microsoft.com/library/cc144175.aspx> > <http://msdn.microsoft.com/library/cc144101.aspx> > > | Note: If any element of the command string contains or might contain > | spaces, it must be enclosed in quotation marks. Otherwise, if the > | element contains a space, it will not parse correctly. For instance, > | "My Program.exe" starts the application properly. If you use > | My Program.exe without quotation marks, then the system attempts to > | launch My with Program.exe as its first command line argument. You > | should always use quotation marks with arguments such as "%1" that are > | expanded to strings by the Shell, because you cannot be certain that > | the string will not contain a space. > > > <http://msdn.microsoft.com/library/dd203067.aspx> > <http://msdn.microsoft.com/library/cc144109.aspx> > > > regards > Stefan Kanthak > > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/