diff options
| author | ivan <ivan@13f79535-47bb-0310-9956-ffa450edef68> | 2019-09-09 21:45:13 +0000 |
|---|---|---|
| committer | ivan <ivan@13f79535-47bb-0310-9956-ffa450edef68> | 2019-09-09 21:45:13 +0000 |
| commit | 638523ce3e83cc6181808987b5d7b153bd2ff33b (patch) | |
| tree | d57a812e52d65062ad624c85eb5f38af7753c25b /threadproc | |
| parent | 5a016c97d042dae714f9736db7ba9394f5bb88a7 (diff) | |
| download | libapr-638523ce3e83cc6181808987b5d7b153bd2ff33b.tar.gz | |
* threadproc/win32/proc.c
(apr_proc_create): Remove compatibility code for command.com which is only
available on Windows 98 and bellow.
git-svn-id: http://svn.apache.org/repos/asf/apr/apr/trunk@1866713 13f79535-47bb-0310-9956-ffa450edef68
Diffstat (limited to 'threadproc')
| -rw-r--r-- | threadproc/win32/proc.c | 53 |
1 files changed, 18 insertions, 35 deletions
diff --git a/threadproc/win32/proc.c b/threadproc/win32/proc.c index 80972599e..8f96ad6d9 100644 --- a/threadproc/win32/proc.c +++ b/threadproc/win32/proc.c @@ -518,15 +518,8 @@ APR_DECLARE(apr_status_t) apr_proc_create(apr_proc_t *new, shellcmd = apr_pstrcat(pool, "\"", shellcmd, "\"", NULL); } } - /* Command.com does not support a quoted command, while cmd.exe demands one. - */ - i = strlen(progname); - if (i >= 11 && strcasecmp(progname + i - 11, "command.com") == 0) { - cmdline = apr_pstrcat(pool, shellcmd, " /C ", argv0, cmdline, NULL); - } - else { - cmdline = apr_pstrcat(pool, shellcmd, " /C \"", argv0, cmdline, "\"", NULL); - } + + cmdline = apr_pstrcat(pool, shellcmd, " /C \"", argv0, cmdline, "\"", NULL); } else { @@ -556,34 +549,24 @@ APR_DECLARE(apr_status_t) apr_proc_create(apr_proc_t *new, shellcmd = apr_pstrcat(pool, "\"", shellcmd, "\"", NULL); } } - i = strlen(progname); - if (i >= 11 && strcasecmp(progname + i - 11, "command.com") == 0) { - /* XXX: Still insecure - need doubled-quotes on each individual - * arg of cmdline. Suspect we need to postpone cmdline parsing - * until this moment in all four code paths, with some flags - * to toggle 'which flavor' is needed. - */ - cmdline = apr_pstrcat(pool, shellcmd, " /C ", argv0, cmdline, NULL); + + /* We must protect the cmdline args from any interpolation - this + * is not a shellcmd, and the source of argv[] is untrusted. + * Notice we escape ALL the cmdline args, including the quotes + * around the individual args themselves. No sense in allowing + * the shift-state to be toggled, and the application will + * not see the caret escapes. + */ + cmdline = apr_caret_escape_args(pool, cmdline); + /* + * Our app name must always be quoted so the quotes surrounding + * the entire /c "command args" are unambigious. + */ + if (*argv0 != '"') { + cmdline = apr_pstrcat(pool, shellcmd, " /C \"\"", argv0, "\"", cmdline, "\"", NULL); } else { - /* We must protect the cmdline args from any interpolation - this - * is not a shellcmd, and the source of argv[] is untrusted. - * Notice we escape ALL the cmdline args, including the quotes - * around the individual args themselves. No sense in allowing - * the shift-state to be toggled, and the application will - * not see the caret escapes. - */ - cmdline = apr_caret_escape_args(pool, cmdline); - /* - * Our app name must always be quoted so the quotes surrounding - * the entire /c "command args" are unambigious. - */ - if (*argv0 != '"') { - cmdline = apr_pstrcat(pool, shellcmd, " /C \"\"", argv0, "\"", cmdline, "\"", NULL); - } - else { - cmdline = apr_pstrcat(pool, shellcmd, " /C \"", argv0, cmdline, "\"", NULL); - } + cmdline = apr_pstrcat(pool, shellcmd, " /C \"", argv0, cmdline, "\"", NULL); } } else { |