New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Experimental feature PSNativeCommandArgumentPassing doesn't support arguments with embedded double quotes when calling batch files #15250
Comments
The proposed fix would be to special case |
Indeed, @SteveL-MSFT. It is part of what I've been proposing for months, repeatedly, in conversations you were a part of: here and here and here, which finally evolved into a - hopefully comprehensive and final - proposal in #15143, which summarizes all accommodations that I think are vital to make on Windows, the need to escape Excuse me for shouting, but it's out of desperation over these issues seemingly never being paid proper attention to; this isn't a personal concern; rather, I think these issues are of vital importance for all PowerShell users, and we should finally get them right. Therefore, I ask you to please take the time to fully understand and discuss:
Moved to #15143 (comment) |
@SteveL-MSFT, I've moved the gist of my previous comment to #15143 (comment), to have all the relevant information in one place. Note that a new bug has since joined the ranks: #15276 |
Any updates on this bug? |
summary of issue #992 failed without feedback to the user This is because the download failed, due to an ampersand in the query parameters, causing the end of the URL to be interpreted as a separate command. This is a minor security risk, as it could cause remote code injection. Additionally, users should be alerted as to why their download has failed, instead of failing silently. Dev process PowerShell has a bug with stripping quotes when passing to batch scripts (PowerShell/PowerShell#15250). Additionally, no validation error is written to file if the downloaded file was not a valid zip file. Refer to nvaccess/addon-datastore-validation#31 where these issues are fixed. testing See example nvaccess#11 where a comment was successfully posted and urls were successfully quoted via this action run
…valid (#31) See also: nvaccess/addon-datastore#1008 PowerShell has a bug with stripping quotes when passing to batch scripts (PowerShell/PowerShell#15250). Additionally, no validation error was written to file if the downloaded file was not a valid zip file. testing See example nvaccess/addon-datastore-staging#11 where a comment was successfully posted and urls were successfully quoted via this action run
Bump to keep open |
Similar to #15239, this issue would be resolved by the proposal in #15143. See also: #15261 and #15276
Note that high-profile CLIs such as
az
andnpm
(Node.js's package manager), for script-based utilities that come with packages, use batch files as their entry points.Steps to reproduce
Run the following on Windows:
Expected behavior
The test should succeed.
Actual behavior
The test fails, because the argument with embedded
"
isn't passed batch-file-appropriately - batch files (cmd.exe
) do not recognize\"
as an escaped"
and require""
instead:Note the literally retained
\
and the unexpected breakup into two arguments.For this invocation to succeed it would have to pass verbatim
Andre "The Hawk" Dawson
as"Andre ""The Hawk"" Dawson"
- i.e. escaping the embedded"
as""
rather than\"
- on the command line used behind the scenes.Environment data
The text was updated successfully, but these errors were encountered: