RFR: 8282008: Incorrect handling of quoted arguments in ProcessBuilder [v3]

Maxim Kartashev duke at openjdk.java.net
Fri Feb 25 16:17:00 UTC 2022 

On Fri, 18 Feb 2022 17:21:48 GMT, Olga Mikhaltsova <omikhaltcova at openjdk.org> wrote:

>> This fix made equal processing of strings such as ""C:\\Program Files\\Git\\"" before and after JDK-8250568.
>> 
>> For example, it's needed to execute the following command on Windows:
>> `C:\Windows\SysWOW64\WScript.exe "MyVB.vbs" "C:\Program Files\Git" "Test"`
>> it's equal to:
>> `new ProcessBuilder("C:\\Windows\\SysWOW64\\WScript.exe", "MyVB.vbs", ""C:\\Program Files\\Git\\"", "Test").start();`
>> 
>> While processing, the 3rd argument ""C:\\Program Files\\Git\\"" treated as unquoted due to the condition added in JDK-8250568.
>> 
>>     private static String unQuote(String str) {
>>     .. 
>>        if (str.endsWith("\\"")) {
>>             return str;    // not properly quoted, treat as unquoted
>>         }
>>     ..
>>     }
>> 
>> 
>> that leads to the additional surrounding by quotes in ProcessImpl::createCommandLine(..) because needsEscaping(..) returns true due to the space inside the string argument.
>> As a result the native function CreateProcessW (src/java.base/windows/native/libjava/ProcessImpl_md.c) gets the incorrectly quoted argument: 
>> 
>> pcmd = C:\Windows\SysWOW64\WScript.exe MyVB.vbs ""C:\Program Files\Git"" Test
>> (jdk.lang.Process.allowAmbiguousCommands = true)
>> pcmd = "C:\Windows\SysWOW64\WScript.exe" MyVB.vbs ""C:\Program Files\Git\\"" Test
>> (jdk.lang.Process.allowAmbiguousCommands = false)
>> 
>> 
>> Obviously, a string ending with `"\\""` must not be started with `"""` to treat as unquoted overwise it’s should be treated as properly quoted.
>
> Olga Mikhaltsova has updated the pull request incrementally with one additional commit since the last revision:
> 
>   Add a new line to the end of test file for JDK-8282008

It is apparent there is no one "correct" way to quote, but one of the key features of the Java ecosystem has been its backwards compatibility. In that light, this change allows our clients to continue doing what they did the way they did it without the need for modification of their Java code or their (maybe even foreign) native code. FWIW.

Separately from the above, I wonder if this change would make the fix less controversial?

-        if (str.endsWith("\\"")) {
+        if (str.endsWith("\\"") && !str.endsWith("\\\\"")) {

This way we verify that the end quote is really just an escaped quote, while correctly identifying escaped backslash as having nothing to do with the following quote.

-------------

PR: https://git.openjdk.java.net/jdk/pull/7504

More information about the core-libs-dev mailing list