Page 1 of 1
Call Set delimiter for avoid injection ?
Posted: 28 Apr 2013 06:14
by carlos
Hello.
Similary to the recommended parenthesis delimiter in echo command: Echo(
What is the recommended delimiter in call set command (used for double expansion) for avoid like this:
set.cmd
test.cmd
Code: Select all
@Echo Off
Set "text=Hi"
Set "var=%%text%%"
Call Set "exp=%var%"
Echo(%exp%
If set.cmd not exist test.cmd print:
but if set.cmd exist test.cmd print:
My question is because I really need do a double expansion, without delayedexpansion, and without call to a label, I need do it but avoiding possible calls to a possible: set.exe set.cmd or set.bat
Re: Call Set delimiter for avoid injection ?
Posted: 28 Apr 2013 06:29
by foxidrive
In your case you need to control the environment of the bat file.
if exist set.* del set.*
Re: Call Set delimiter for avoid injection ?
Posted: 28 Apr 2013 06:58
by jeb
Or you could disable PATH and PATHEXT, so set.cmd will not be searched for, nor executed.
Code: Select all
set "PATH_ORG=!PATH!"
set "PATHEXT_ORG=!PATHEXT!"
Call Set "exp=%var%"
set "PATH=!PATH_ORG!"
set "PATHEXT=!PATHEXT_ORG!"
This will also speed up your code
Re: Call Set delimiter for avoid injection ?
Posted: 28 Apr 2013 07:05
by foxidrive
On testing it - the current directory is searched anyway.
Code: Select all
@Echo Off
set "PATH_ORG=%PATH%"
set "PATHEXT_ORG=%PATHEXT%"
set path=
set pathext=
Set "text=Hi"
Set "var=%%text%%"
Call Set "exp=%var%"
Echo(%exp%
set "PATH=%PATH_ORG%"
set "PATHEXT=%PATHEXT_ORG%"
pause
Injection
Press any key to continue . . .
Re: Call Set delimiter for avoid injection ?
Posted: 28 Apr 2013 10:14
by Liviu
foxidrive wrote:On testing it - the current directory is searched anyway.
An empty/undefined pathext falls back to some internal hardcoded default. Try rather:
I remember this having been mentioned before, for example
http://www.dostips.com/forum/viewtopic.php?f=3&t=2521&start=0.
Liviu
Re: Call Set delimiter for avoid injection ?
Posted: 28 Apr 2013 22:07
by foxidrive
Thanks Liviu,
it works as it should then. That'll solve carlos' issue.
Re: Call Set delimiter for avoid injection ?
Posted: 29 Apr 2013 13:12
by carlos
Thanks for all the replies.
Seems that only is needed use:
Is really needed disable PATH ?
Re: Call Set delimiter for avoid injection ?
Posted: 30 Apr 2013 22:22
by Liviu
carlos wrote:Is really needed disable PATH ?
Not technically "needed", but helps performace as pointed in the linked post.
Re: Call Set delimiter for avoid injection ?
Posted: 01 May 2013 11:55
by jeb
But at all it's better to use delayed expansion.
It's faster and more stable, as CALL has always problems with special characters.
CALL doubles all carets, and it's tricky to escape special characters
Code: Select all
call echo One caret "^"
set "caret=^"
call echo Escape an ampersand %%caret%%^& works
jeb
Re: Call Set delimiter for avoid injection ?
Posted: 01 May 2013 15:20
by Endoro
CALL removes 3/4 percent:
Code: Select all
@echo off & setlocal
echo two percent %%%%
call echo one percent %%%%