RFR: 8282008: Incorrect handling of quoted arguments in ProcessBuilder
Roger Riggs
rriggs at openjdk.java.net
Thu Feb 17 13:17:08 UTC 2022
On Wed, 16 Feb 2022 21:19:04 GMT, Olga Mikhaltsova <omikhaltcova at openjdk.org> wrote:
> This fix made equal processing of strings such as ""C:\\Program Files\\Git\\"" before and after JDK-8250568.
>
> For example, it's needed to execute the following command on Windows:
> `C:\Windows\SysWOW64\WScript.exe "MyVB.vbs" "C:\Program Files\Git" "Test"`
> it's equal to:
> `new ProcessBuilder("C:\\Windows\\SysWOW64\\WScript.exe", "MyVB.vbs", ""C:\\Program Files\\Git\\"", "Test").start();`
>
> While processing, the 3rd argument ""C:\\Program Files\\Git\\"" treated as unquoted due to the condition added in JDK-8250568.
>
> private static String unQuote(String str) {
> ..
> if (str.endsWith("\\"")) {
> return str; // not properly quoted, treat as unquoted
> }
> ..
> }
>
>
> that leads to the additional surrounding by quotes in ProcessImpl::createCommandLine(..) because needsEscaping(..) returns true due to the space inside the string argument.
> As a result the native function CreateProcessW (src/java.base/windows/native/libjava/ProcessImpl_md.c) gets the incorrectly quoted argument:
>
> pcmd = C:\Windows\SysWOW64\WScript.exe MyVB.vbs ""C:\Program Files\Git"" Test
> (jdk.lang.Process.allowAmbiguousCommands = true)
> pcmd = "C:\Windows\SysWOW64\WScript.exe" MyVB.vbs ""C:\Program Files\Git\\"" Test
> (jdk.lang.Process.allowAmbiguousCommands = false)
>
>
> Obviously, a string ending with `"\\""` must not be started with `"""` to treat as unquoted overwise it’s should be treated as properly quoted.
Actually, there's a bit more to this than first meets the eye.
"A double quote mark preceded by a backslash (") is interpreted as a literal double quote mark (")."
According to: https://docs.microsoft.com/en-us/cpp/cpp/main-function-command-line-args
That was the reason for the change in JDK-8250568.
So the application supplied quotes combined with the trailing file separator results in unbalanced quotes.
Without the application supplied quotes, the implementation quotes the string (because of the embedded space) and doubles up the backslash so it does not escape the final quote.
-------------
PR: https://git.openjdk.java.net/jdk/pull/7504
More information about the core-libs-dev
mailing list