RFR: 8282008: Incorrect handling of quoted arguments in ProcessBuilder [v2]
Roger Riggs
rriggs at openjdk.java.net
Fri Feb 18 16:35:50 UTC 2022
On Fri, 18 Feb 2022 16:07:29 GMT, Olga Mikhaltsova <omikhaltcova at openjdk.org> wrote:
>> This fix made equal processing of strings such as ""C:\\Program Files\\Git\\"" before and after JDK-8250568.
>>
>> For example, it's needed to execute the following command on Windows:
>> `C:\Windows\SysWOW64\WScript.exe "MyVB.vbs" "C:\Program Files\Git" "Test"`
>> it's equal to:
>> `new ProcessBuilder("C:\\Windows\\SysWOW64\\WScript.exe", "MyVB.vbs", ""C:\\Program Files\\Git\\"", "Test").start();`
>>
>> While processing, the 3rd argument ""C:\\Program Files\\Git\\"" treated as unquoted due to the condition added in JDK-8250568.
>>
>> private static String unQuote(String str) {
>> ..
>> if (str.endsWith("\\"")) {
>> return str; // not properly quoted, treat as unquoted
>> }
>> ..
>> }
>>
>>
>> that leads to the additional surrounding by quotes in ProcessImpl::createCommandLine(..) because needsEscaping(..) returns true due to the space inside the string argument.
>> As a result the native function CreateProcessW (src/java.base/windows/native/libjava/ProcessImpl_md.c) gets the incorrectly quoted argument:
>>
>> pcmd = C:\Windows\SysWOW64\WScript.exe MyVB.vbs ""C:\Program Files\Git"" Test
>> (jdk.lang.Process.allowAmbiguousCommands = true)
>> pcmd = "C:\Windows\SysWOW64\WScript.exe" MyVB.vbs ""C:\Program Files\Git\\"" Test
>> (jdk.lang.Process.allowAmbiguousCommands = false)
>>
>>
>> Obviously, a string ending with `"\\""` must not be started with `"""` to treat as unquoted overwise it’s should be treated as properly quoted.
>
> Olga Mikhaltsova has updated the pull request incrementally with one additional commit since the last revision:
>
> Add test for JDK-8282008
@omikhaltsova Please take another look at the comment above. The fix incorrectly allows a final double-quote to be escaped, resulting in unbalanced quotes and possibly allowing an argument to be joined with the next.
The recommendation is for the application to NOT add quotes to arguments and allow ProcessBuilder to do the necessary quoting.
-------------
PR: https://git.openjdk.java.net/jdk/pull/7504
More information about the core-libs-dev
mailing list