Proposed JEP: Safer Process Launch by ProcessBuilder and Runtime.exec
Raffaello Giulietti
raffaello.giulietti at gmail.com
Fri Feb 18 20:18:22 UTC 2022
Hello,
to overcome some of the problems with parsing and generating Windows
command lines, I implemented two classes [1] that attempt to provide a
more sophisticated solution. To be clear, they do not create processes
or launch programs. They only serve as a parser and an "escaper".
Currently, they are completely outside the OpenJDK codebase to avoid
interfering with the current behavior. The intent is to have a concrete
basis for a more thorough discussion and some code to experiment with.
Later, the code can be integrated into OpenJDK if so desired.
Both classes perform a straightforward, one-pass left-to-right
processing (each character is read only once) without back-patching.
They only make use String, StringBuilder and ArrayList.
Two important technical aspects must be kept in mind when later using
the outcomes of these classes to start new processes on Windows. Both
are related in the interplay between the Windows function
CreateProcess() [2] and the C/C++ runtime [3]:
* A program can parse the command line as it deems useful. There are no
hard rules, only conventions. These classes assume that the program
denoted on the command line will perform parsing as done by the Windows
C/C++ runtime conventions [3]. If this assumption is invalid, there's no
point in using these classes.
* In particular, the "shell" cmd.exe parses the command line in a
different way. While not currently exposed in these classes, it would be
easy to add a specific parser and escaper for cmd.exe as well.
* Absent the application name, the initial section of the command line
passed to CreateProcess() is parsed by it to locate the program to
launch. The way it parses the program part when it is unquoted is too
cumbersome and depends on the content of the filesystem [2]. Trying to
re-implement this parsing would introduce a potential source of troubles
that could later lead in launching an unintended program. Thus, for
simplification and caution, these classes assume that the program part
is always quoted, throwing otherwise.
Greetings
Raffaello
----
[1] https://github.com/rgiulietti/experiments
[2]
https://docs.microsoft.com/en-us/windows/win32/api/processthreadsapi/nf-processthreadsapi-createprocessa
[3]
https://docs.microsoft.com/en-us/cpp/c-language/parsing-c-command-line-arguments
On 2022-01-20 19:05, Roger Riggs wrote:
> A JEP to Improve safety of process launch by ProcessBuilder and
> Runtime.exec on Windows[1].
>
> Argument encoding errors have been problematic on Windows systems due to
> improperly quoted command arguments.
>
> The idea is to tighten up quoting and encoding of command line arguments.
>
> Comments appreciated, Roger
>
> [1] https://bugs.openjdk.java.net/browse/JDK-8263697
More information about the core-libs-dev
mailing list