[Mono-list] Starting processes with parameters from Mono0.31and mono-0.31.99.20040331

Gonzalo Paniagua Javier gonzalo@ximian.com
Tue, 06 Apr 2004 18:16:48 +0200


El mié, 07-04-2004 a las 02:51, Jonathan Gilbert escribió:
> At 04:02 PM 06/04/2004 +0200, Gonzalo wrote:
> >El miE 07-04-2004 a las 00:15, Jonathan Gilbert escribiE
> [snip]
> >> For this command-line, ShellExecute searches for files whose name (w/o
> >> extension) are each of the following, in this order:
> >> 
> >> "c:\\Program" (.exe, .com, .bat, .cmd, ..)
> >> "c:\\Program Files\\Fubar" (.exe, .com, .bat, .cmd, ..)
> >> "c:\\Program Files\\Fubar Corp\\Example" (.exe, .com, .bat, .cmd, ..)
> >> "c:\\Program Files\\Fubar Corp\\Example 1.exe" (.exe, .com, .bat, .cmd, ..)
> >> "c:\\Program Files\\Fubar Corp\\Example 1.exe params" (.exe, .com, .bat,
> >> .cmd, ..)
> >> 
> >> Any one of those first 3 can be used to "hijack" the program, such that
> >> badly-written code using ShellExecute will run the wrong binary! I believe
> >> the MSDN documentation for ShellExecute warns about this issue.
> >
> >Isn't that what you get with 'cmd /c whatever'?
> 
> No. "cmd /c whatever" will only check the first word.
> 
> [x:\]cmd /c c:\Program Files\Windows Media Player\mplayer2.exe
> 'c:\Program' is not recognized as an internal or external command,
> operable program or batch file.

Oh, we didn't pass the first argument in quotes, but we do now.

-Gonzalo