Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

`run "perl6" ...` can be made to execute shell commands #6591

Open
p6rt opened this issue Oct 10, 2017 · 3 comments
Open

`run "perl6" ...` can be made to execute shell commands #6591

p6rt opened this issue Oct 10, 2017 · 3 comments
Labels

Comments

@p6rt
Copy link

@p6rt p6rt commented Oct 10, 2017

Migrated from rt.perl.org#132258 (status was 'new')

Searchable as RT132258$

@p6rt
Copy link
Author

@p6rt p6rt commented Oct 10, 2017

From @zoffixznet

On Windows, cmd.exe has different quoting for arguments than CreateProcess() and according to a Microsoft's blog[^1] there's no one-size-fits all solution.

While run() will quote stuff just fine for non-cmd.exe programs, `perl6` executable on Windows is a batch file, which makes `run 'perl6', ...` go through
cmd.exe and its quoting, and it's possible to intro security issues​:

  run $*EXECUTABLE, '-e', '"&whoami'; # executes `whoami` on the shell, as can be seen by output at the end

The same problem exists with Perl's system​:

  system 'perl6', ('-e', '"" &whoami'); # executes `whoami` on the shell

So I'd assume the problem can't be solved entirely behind the scenes, precisely because there's no one-size-fits all solution.

However, even in Rakudo's own test suite there are `run`s that run $*EXECUTABLE, feeding it improperly quoted arguments.
It's not very obvious that `perl6` is a batch file and that it'd need special quoting.

So I think we need to​:

1) Find a way to un-batch it. Make `perl6` a proper executable
2) Maybe add `​:win-cmd-quoting` arg to `run` that will properly quote args for use with cmd.exe when we're running on Windows, so at least there's
  an easy options for users to use, if they so require

[1] https://blogs.msdn.microsoft.com/twistylittlepassagesallalike/2011/04/23/everyone-quotes-command-line-arguments-the-wrong-way/

@p6rt
Copy link
Author

@p6rt p6rt commented Oct 10, 2017

From @zoffixznet

P.S.​: actually `run 'perl6', '-e', '"&whoami';` doesn't seem to execute `whoami` on the shell (judging by output at least), whoever `run $*EXECUTABLE` or `run 'perl6.bat'` do

@p6rt
Copy link
Author

@p6rt p6rt commented Oct 10, 2017

From @zoffixznet

Worse still; there doesn't seem to be a way to make `run` work with `cmd.exe` commands at all. Even if you escape the args yourself properly, they seem to get butchered by libuv's quoting. There's a UV_PROCESS_WINDOWS_VERBATIM_ARGUMENTS that'd avoid quoting, though currently we have it off (so non-cmd.exe args get processed right)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Linked pull requests

Successfully merging a pull request may close this issue.

None yet
1 participant
You can’t perform that action at this time.