running any external command safely !

Discussion forum for all Windows batch related topics.

Moderator: DosItHelp

Post Reply
Message
Author
Ed Dyreen
Expert
Posts: 1568
Joined: 16 May 2011 08:21
Location: Flanders(Belgium)
Contact:

running any external command safely !

#1 Post by Ed Dyreen » 08 Feb 2019 12:57

This works.

Code: Select all

> start "" /B ""(tst).cmd""
Adding spaces...

Code: Select all

> start "" /B ""(t s t).cmd""

>
MessageBox( Windows cannot find file (t. ) :|

Code: Select all

> start "" /B "(tst).cmd"

> .cmd niet verwacht op dit moment.
Works fine from explorer...
Push works too...

Code: Select all

> pushd "W:\ED\VIP\PROJ\DEV\doskit\doskitXPserver2003 v0.1 (20190129)\Hello world ^!\"

> start "" /B ""(tst).cmd""

Hmm **censored** :confused: :?:

aGerman
Expert
Posts: 3629
Joined: 22 Jan 2010 18:01
Location: Germany

Re: what the ? start "" /B ""(tst).cmd""

#2 Post by aGerman » 08 Feb 2019 13:41

Your batch file was executed using "%comspec%" /k. If you explicitely pass option /s it should work.

Code: Select all

start "" /b cmd /s /k ""(t s t).bat""
respectively without the spaces.

Steffen

Ed Dyreen
Expert
Posts: 1568
Joined: 16 May 2011 08:21
Location: Flanders(Belgium)
Contact:

Re: what the ? start "" /B ""(tst).cmd""

#3 Post by Ed Dyreen » 08 Feb 2019 16:23

aGerman wrote:
08 Feb 2019 13:41
Your batch file was executed using "%comspec%" /k. If you explicitely pass option /s it should work.

Code: Select all

start "" /b cmd /s /k ""(t s t).bat""
respectively without the spaces.

Steffen
indeed, cmd /K seems to force the use of start cmd /S /K later. So in order to have start behave as expected it is probably best to always use the /S /K option. The path can contain any "allowed" character and the script may or may not have been started using the /K option. :?

I am so not going to check cmdCmdLine, it wouldn't make a difference, I think your fix is generic aGerman.


Thanks.

Ed Dyreen
Expert
Posts: 1568
Joined: 16 May 2011 08:21
Location: Flanders(Belgium)
Contact:

Re: what the ? start "" /B ""(tst).cmd""

#4 Post by Ed Dyreen » 08 Feb 2019 17:19

apparently I already solved it once elsewhere in my code. It is not /S that is required but /K.

Code: Select all

start "!$title!" !$sargs! /D "!oFile.fullPath!" "!comspec!" /K ""!oFile.file!" !$args!"
and it works :)

aGerman
Expert
Posts: 3629
Joined: 22 Jan 2010 18:01
Location: Germany

Re: what the ? start "" /B ""(tst).cmd""

#5 Post by aGerman » 09 Feb 2019 08:09

Interesting. The command line that appears in the task manager is the same for

Code: Select all

start "" /b cmd /K ""(tst).bat""
and for

Code: Select all

start "" /b ""(tst).bat""

Ed Dyreen
Expert
Posts: 1568
Joined: 16 May 2011 08:21
Location: Flanders(Belgium)
Contact:

Re: what the ? start "" /B ""(tst).cmd""

#6 Post by Ed Dyreen » 09 Feb 2019 10:15

aGerman wrote:
09 Feb 2019 08:09
Interesting. The command line that appears in the task manager is the same for

Code: Select all

start "" /b cmd /K ""(tst).bat""
and for

Code: Select all

start "" /b ""(tst).bat""
One can detect the /K option in the cmdCmdLine and use this knowledge to decide on consecutive /K's and program exit [/B]? %errorlevel% but it is a lot of work that can be avoided by having the child exit explicitly always.

penpen
Expert
Posts: 1686
Joined: 23 Jun 2013 06:15
Location: Germany

Re: what the ? start "" /B ""(tst).cmd""

#7 Post by penpen » 10 Feb 2019 13:55

Just because i am curious - why do you use doubled double-quotes; shouldn't the command work with doublequotes using only one time?

Code: Select all

start "" /B "(t s t).cmd"
penpen

Ed Dyreen
Expert
Posts: 1568
Joined: 16 May 2011 08:21
Location: Flanders(Belgium)
Contact:

Re: what the ? start "" /B ""(tst).cmd""

#8 Post by Ed Dyreen » 10 Feb 2019 17:18

penpen wrote:
10 Feb 2019 13:55
Just because i am curious - why do you use doubled double-quotes; shouldn't the command work with doublequotes using only one time?

Code: Select all

start "" /B "(t s t).cmd"
penpen
It is the '(' and ')' characters that confuses cmd if running with the /K option on my windows XP apparently, but I suspect on your windows too?

While analyzing with echo on I experienced difficulty, in getting the characters inside a messageBox( file not found ). Not adding carets and messageBox would not be complete. Switching quotes and cmd would crash. adding carets and they would end up in a windows explorer messageBox( file not found: (t s t^).cmd ).

The double double quotes by itself already was an attempt to tackle the problem. Apparently I had already devoted quite some code elsewhere that makes start work always and to adapt behavior when cmd /K is detected. ( when done, my script needs to return if called but exit explicitly if started with /K otherwise the window will remain open indefinitely. )

aGerman made the point
aGerman wrote:
09 Feb 2019 08:09
Interesting. The command line that appears in the task manager is the same for

Code: Select all

start "" /b cmd /K ""(tst).bat""
and for

Code: Select all

start "" /b ""(tst).bat""
I remember this, when looking at my code I see that I am not trying to match with /K but /C lowercase. if (cmdCmdLineType<>"c") {exitType = "";} else I need to add a /B exit [/B]? %errorLevel% to have it work as expected.

Ed Dyreen
Expert
Posts: 1568
Joined: 16 May 2011 08:21
Location: Flanders(Belgium)
Contact:

Re: running any external command safely !

#9 Post by Ed Dyreen » 20 Feb 2019 05:01

Running an external command in a cmd /K initiated environment the "usual" way is insecure.

Testing platform XP. Path contains brackets AND spaces:

Code: Select all

set "externalCommand=..\doskitXPserver2003 v0.1 (20190129)\Hello world ^^^!\doskitXPserver2003 v0.1 (20190129)\ext\eval\eval.EXE"
set "externalCommand"
echo.
Next fail with: The system cannot find the specified path OR X not recognized as an internal or external command, program or batch file.

Code: Select all

cmd /V:OFF /C "!externalCommand!" %arguments%
cmd /S /C ""!externalCommand!" %arguments%"
cmd /K ""!externalCommand!" %arguments%"

for /F "delims=" %%? in ( '"!externalCommand!" %arguments%' ) do echo.%%?
Note the last failing command using for. Many will use this when trying to read from an external program but it fails if externalCommand contains 'brackets' AND 'spaces' AND the 'parent process is cmd /K initiated' and therefore is completely insecure. :!:

I found a few combinations that seem to work:

Code: Select all

"%externalCommand%" %arguments%

cmd /V:ON /C ""!externalCommand!" %arguments%"
start "" cmd /K ""!externalCommand!" %arguments%"

for /F delims^=^ eol^= %%r in (	'cmd /V:ON /C ""!externalCommand!" %arguments%"') do echo.%%r

dbenham
Expert
Posts: 2254
Joined: 12 Feb 2011 21:02
Location: United States (east coast)

Re: running any external command safely !

#10 Post by dbenham » 20 Feb 2019 10:52

I have only casually browsed this topic, so I may be barking up the wrong tree...

But perhaps your problem has something to do with the intermittent XP bug when a FOR /F IN() clause contains an unquoted/unescaped token delimiter.
Remember that one :!: :?: :twisted:

I definitely see an unquoted/unescaped space in the following, and there may be more depending on the content of %arguments%
Ed Dyreen wrote:

Code: Select all

...
for /F "delims=" %%? in ( '"!externalCommand!" %arguments%' ) do echo.%%?

Dave Benham

Ed Dyreen
Expert
Posts: 1568
Joined: 16 May 2011 08:21
Location: Flanders(Belgium)
Contact:

Re: running any external command safely !

#11 Post by Ed Dyreen » 21 Feb 2019 14:58

dbenham wrote:
20 Feb 2019 10:52
But perhaps your problem has something to do with the intermittent XP bug when a FOR /F IN() clause contains an unquoted/unescaped token delimiter.
I think we can exclude that one.

Code: Select all

parent cmd /K		regular for 'unescaped'		works
yes			yes				no					
yes			no				no
no			yes				yes
no			no				yes
Although the problem arised in a for after the path included '(' and ')'. The first thing I did was test the externalCommand outside of a for to see why it was not called. The problem persisted and thus cannot be for related. The above table implies that the behavior of cmd /K is different than cmd /C.

I tried to escape spaces when trying start "" "^(t^ s^ t^).CMD", I could not find a working algorithm playing with the quotes and escapes that either did not result in a cmd crash or a messageBox telling me (t s t^).CMD could not be found but that does not mean one does not exist.

The behavior is only observed if all stated conditions are met but I found a solution that is pretty simple:
just add cmd /V:ON /C and it works as expected.

I am not sure what OS aGerman used, but if not XP then the problem does not affect just XP.

Post Reply