Call Set delimiter for avoid injection ?

Discussion forum for all Windows batch related topics.

Moderator: DosItHelp

Post Reply
Message
Author
carlos
Expert
Posts: 503
Joined: 20 Aug 2010 13:57
Location: Chile
Contact:

Call Set delimiter for avoid injection ?

#1 Post by carlos » 28 Apr 2013 06:14

Hello.
Similary to the recommended parenthesis delimiter in echo command: Echo(
What is the recommended delimiter in call set command (used for double expansion) for avoid like this:

set.cmd

Code: Select all

Echo Injection


test.cmd

Code: Select all

@Echo Off
Set "text=Hi"
Set "var=%%text%%"

Call Set "exp=%var%"

Echo(%exp%


If set.cmd not exist test.cmd print:

Code: Select all

Hi


but if set.cmd exist test.cmd print:

Code: Select all

Injection



My question is because I really need do a double expansion, without delayedexpansion, and without call to a label, I need do it but avoiding possible calls to a possible: set.exe set.cmd or set.bat

foxidrive
Expert
Posts: 6031
Joined: 10 Feb 2012 02:20

Re: Call Set delimiter for avoid injection ?

#2 Post by foxidrive » 28 Apr 2013 06:29

In your case you need to control the environment of the bat file.

if exist set.* del set.*

jeb
Expert
Posts: 1041
Joined: 30 Aug 2007 08:05
Location: Germany, Bochum

Re: Call Set delimiter for avoid injection ?

#3 Post by jeb » 28 Apr 2013 06:58

Or you could disable PATH and PATHEXT, so set.cmd will not be searched for, nor executed.

Code: Select all

set "PATH_ORG=!PATH!"
set "PATHEXT_ORG=!PATHEXT!"
Call Set "exp=%var%"
set "PATH=!PATH_ORG!"
set "PATHEXT=!PATHEXT_ORG!"


This will also speed up your code

foxidrive
Expert
Posts: 6031
Joined: 10 Feb 2012 02:20

Re: Call Set delimiter for avoid injection ?

#4 Post by foxidrive » 28 Apr 2013 07:05

On testing it - the current directory is searched anyway.


Code: Select all

@Echo Off

set "PATH_ORG=%PATH%"
set "PATHEXT_ORG=%PATHEXT%"
set path=
set pathext=

Set "text=Hi"
Set "var=%%text%%"

Call Set "exp=%var%"

Echo(%exp%

set "PATH=%PATH_ORG%"
set "PATHEXT=%PATHEXT_ORG%"

pause



Injection

Press any key to continue . . .

Liviu
Expert
Posts: 470
Joined: 13 Jan 2012 21:24

Re: Call Set delimiter for avoid injection ?

#5 Post by Liviu » 28 Apr 2013 10:14

foxidrive wrote:On testing it - the current directory is searched anyway.

Code: Select all

set pathext=

An empty/undefined pathext falls back to some internal hardcoded default. Try rather:

Code: Select all

set pathext=;

I remember this having been mentioned before, for example http://www.dostips.com/forum/viewtopic.php?f=3&t=2521&start=0.

Liviu

foxidrive
Expert
Posts: 6031
Joined: 10 Feb 2012 02:20

Re: Call Set delimiter for avoid injection ?

#6 Post by foxidrive » 28 Apr 2013 22:07

Thanks Liviu,

it works as it should then. That'll solve carlos' issue.

carlos
Expert
Posts: 503
Joined: 20 Aug 2010 13:57
Location: Chile
Contact:

Re: Call Set delimiter for avoid injection ?

#7 Post by carlos » 29 Apr 2013 13:12

Thanks for all the replies.

Seems that only is needed use:

Code: Select all

Set PATHEXT=;


Is really needed disable PATH ?

Liviu
Expert
Posts: 470
Joined: 13 Jan 2012 21:24

Re: Call Set delimiter for avoid injection ?

#8 Post by Liviu » 30 Apr 2013 22:22

carlos wrote:Is really needed disable PATH ?

Not technically "needed", but helps performace as pointed in the linked post.

jeb
Expert
Posts: 1041
Joined: 30 Aug 2007 08:05
Location: Germany, Bochum

Re: Call Set delimiter for avoid injection ?

#9 Post by jeb » 01 May 2013 11:55

But at all it's better to use delayed expansion.
It's faster and more stable, as CALL has always problems with special characters.

CALL doubles all carets, and it's tricky to escape special characters

Code: Select all

call echo One caret "^"
set "caret=^"
call echo Escape an ampersand %%caret%%^& works


jeb

Endoro
Posts: 244
Joined: 27 Mar 2013 01:29
Location: Bozen

Re: Call Set delimiter for avoid injection ?

#10 Post by Endoro » 01 May 2013 15:20

CALL removes 3/4 percent:

Code: Select all

@echo off & setlocal
echo two percent %%%%
call echo one percent %%%%

Post Reply