Proposed JEP: Safer Process Launch by ProcessBuilder and Runtime.exec
Roger Riggs
roger.riggs at oracle.com
Fri Jan 28 20:26:35 UTC 2022
Hi Raffaello,
My mistake, the problem with empty args was fixed in 17 as well as some
of the problems with
escaping of double-quotes. The default legacy mode does not check for
unbalanced quotes
possible merging of arguments. The simplest case are for .exe
execution, in which the
argument parsing by applications allows a more reliable encoding.
The command parsing by cmd.exe is less flexible and has more issues.
Setting the system property
jdk.lang.Process.allowAmbiguousCommands=false applies some
additional checks. But it is not the default. It is a goal to reduce the
number
of modes and simplify the code in the Windows ProcessImpl.
I'm all in favor of solving the problem on Windows, suggestions welcome.
But also a consideration is not breaking (too many) existing applications.
Thanks, Roger
On 1/28/22 2:14 PM, Raffaello Giulietti wrote:
> Hi Roger,
>
> I'm trying the following (ugly) code on JDK 17/Win, where Args.exe
> does nothing else than writing out its argv[], redirecting to a log file.
>
> public static void main(String[] args) throws IOException,
> InterruptedException {
> String[] command = {
> "C:\\Users\\alpha\\Args.exe",
> "",
> "a",
> "",
> "b",
> "",
> };
> var processBuilder = new ProcessBuilder(command);
> processBuilder.redirectOutput(new
> File("C:\\Users\\alpha\\my.log"));
> var process = processBuilder.start();
> Thread.sleep(2_000);
> System.out.println("process.exitValue() = " +
> process.exitValue());
> }
>
>
> Here's the log file
>
> argv[0] = [C:\Users\alpha\Args.exe]
> argv[1] = []
> argv[2] = [a]
> argv[3] = []
> argv[4] = [b]
> argv[5] = []
>
> so empty args seem to work correctly, at least in this plain example.
>
> Have you specific examples that behave incorrectly?
> I'm asking because I'd like to setup a simple set of rules to solve
> the issue on Windows altogether.
>
>
>
>
>
> On 2022-01-28 16:48, Roger Riggs wrote:
>> Hi Raffaello,
>>
>> For .exe executables, one example is an empty string in the list of
>> arguments to ProcessBuilder.
>> The empty string is not visible in the generated command line. For
>> position sensitive commands, it appears the argument is dropped.
>> An argument in ProcessBuilder with mismatched quotes can cause the
>> argument to be joined with the next in the generated command line.
>> A stray "\" at the end of an argument can cause the following
>> character to be quoted, possibly joining the argument with the next.
>>
>> For .cmd executables, cmd.exe interprets more characters as argument
>> separators and will split arguments.
>> For example, an argument with a semi-colon or comma, (unquoted) will
>> be split into two arguments when parsed by cmd.exe.
>> The goal is to improve the integrity and robustness of the command
>> encoding.
>>
>> Thanks, Roger
>>
>>
>> On 1/28/22 4:07 AM, Raffaello Giulietti wrote:
>>> Hello,
>>>
>>> if I understand correctly, the issue addressed here (on Windows) is
>>> how to assemble a single command string from an array of argument
>>> strings to pass to CreateProcess() in a way that the individual
>>> argument strings can be fully recovered in the invoked program.
>>> Similarly when the command string is passed to an instance of cmd.exe.
>>>
>>> Are there known (non security critical) examples that do not work
>>> correctly JDK 18 or earlier?
>>>
>>>
>>> Greetings
>>> Raffaello
>>>
>>>
>>> On 2022-01-20 19:05, Roger Riggs wrote:
>>>> A JEP to Improve safety of process launch by ProcessBuilder and
>>>> Runtime.exec on Windows[1].
>>>>
>>>> Argument encoding errors have been problematic on Windows systems
>>>> due to
>>>> improperly quoted command arguments.
>>>>
>>>> The idea is to tighten up quoting and encoding of command line
>>>> arguments.
>>>>
>>>> Comments appreciated, Roger
>>>>
>>>> [1] https://bugs.openjdk.java.net/browse/JDK-8263697
>>
More information about the core-libs-dev
mailing list