running any external command safely !

[Ed Dyreen]

This works.

Code: Select all

> start "" /B ""(tst).cmd""

Adding spaces...

Code: Select all

> start "" /B ""(t s t).cmd""

>

MessageBox( Windows cannot find file (t. )

Code: Select all

> start "" /B "(tst).cmd"

> .cmd niet verwacht op dit moment.

Works fine from explorer...
Push works too...

Code: Select all

> pushd "W:\ED\VIP\PROJ\DEV\doskit\doskitXPserver2003 v0.1 (20190129)\Hello world ^!\"

> start "" /B ""(tst).cmd""

Hmm **censored**

[aGerman]

Your batch file was executed using "%comspec%" /k. If you explicitely pass option /s it should work.

Code: Select all

start "" /b cmd /s /k ""(t s t).bat""

respectively without the spaces.

Steffen

[Ed Dyreen]

Your batch file was executed using "%comspec%" /k. If you explicitely pass option /s it should work.

Code: Select all

start "" /b cmd /s /k ""(t s t).bat""

respectively without the spaces.

Steffen

indeed, cmd /K seems to force the use of start cmd /S /K later. So in order to have start behave as expected it is probably best to always use the /S /K option. The path can contain any "allowed" character and the script may or may not have been started using the /K option.

I am so not going to check cmdCmdLine, it wouldn't make a difference, I think your fix is generic aGerman.


Thanks.

[Ed Dyreen]

apparently I already solved it once elsewhere in my code. It is not /S that is required but /K.

Code: Select all

start "!$title!" !$sargs! /D "!oFile.fullPath!" "!comspec!" /K ""!oFile.file!" !$args!"

and it works

[aGerman]

Interesting. The command line that appears in the task manager is the same for

Code: Select all

start "" /b cmd /K ""(tst).bat""

and for

Code: Select all

start "" /b ""(tst).bat""

[Ed Dyreen]

Interesting. The command line that appears in the task manager is the same for

Code: Select all

start "" /b cmd /K ""(tst).bat""

and for

Code: Select all

start "" /b ""(tst).bat""

One can detect the /K option in the cmdCmdLine and use this knowledge to decide on consecutive /K's and program exit [/B]? %errorlevel% but it is a lot of work that can be avoided by having the child exit explicitly always.

[penpen]

Just because i am curious - why do you use doubled double-quotes; shouldn't the command work with doublequotes using only one time?

Code: Select all

start "" /B "(t s t).cmd"

penpen

[Ed Dyreen]

Just because i am curious - why do you use doubled double-quotes; shouldn't the command work with doublequotes using only one time?

Code: Select all

start "" /B "(t s t).cmd"

penpen

It is the '(' and ')' characters that confuses cmd if running with the /K option on my windows XP apparently, but I suspect on your windows too?

While analyzing with echo on I experienced difficulty, in getting the characters inside a messageBox( file not found ). Not adding carets and messageBox would not be complete. Switching quotes and cmd would crash. adding carets and they would end up in a windows explorer messageBox( file not found: (t s t^).cmd ).

The double double quotes by itself already was an attempt to tackle the problem. Apparently I had already devoted quite some code elsewhere that makes start work always and to adapt behavior when cmd /K is detected. ( when done, my script needs to return if called but exit explicitly if started with /K otherwise the window will remain open indefinitely. )

aGerman made the point

Interesting. The command line that appears in the task manager is the same for

Code: Select all

start "" /b cmd /K ""(tst).bat""

and for

Code: Select all

start "" /b ""(tst).bat""

I remember this, when looking at my code I see that I am not trying to match with /K but /C lowercase. if (cmdCmdLineType<>"c") {exitType = "";} else I need to add a /B exit [/B]? %errorLevel% to have it work as expected.

[Ed Dyreen]

Running an external command in a cmd /K initiated environment the "usual" way is insecure.

Testing platform XP. Path contains brackets AND spaces:

Code: Select all

set "externalCommand=..\doskitXPserver2003 v0.1 (20190129)\Hello world ^^^!\doskitXPserver2003 v0.1 (20190129)\ext\eval\eval.EXE"
set "externalCommand"
echo.

Next fail with: The system cannot find the specified path OR X not recognized as an internal or external command, program or batch file.

Code: Select all

cmd /V:OFF /C "!externalCommand!" %arguments%
cmd /S /C ""!externalCommand!" %arguments%"
cmd /K ""!externalCommand!" %arguments%"

for /F "delims=" %%? in ( '"!externalCommand!" %arguments%' ) do echo.%%?

Note the last failing command using for. Many will use this when trying to read from an external program but it fails if externalCommand contains 'brackets' AND 'spaces' AND the 'parent process is cmd /K initiated' and therefore is completely insecure.

I found a few combinations that seem to work:

Code: Select all

"%externalCommand%" %arguments%

cmd /V:ON /C ""!externalCommand!" %arguments%"
start "" cmd /K ""!externalCommand!" %arguments%"

for /F delims^=^ eol^= %%r in (	'cmd /V:ON /C ""!externalCommand!" %arguments%"') do echo.%%r

[dbenham]

I have only casually browsed this topic, so I may be barking up the wrong tree...

But perhaps your problem has something to do with the intermittent XP bug when a FOR /F IN() clause contains an unquoted/unescaped token delimiter.
Remember that one

I definitely see an unquoted/unescaped space in the following, and there may be more depending on the content of %arguments%

Code: Select all

...
for /F "delims=" %%? in ( '"!externalCommand!" %arguments%' ) do echo.%%?

Dave Benham

[Ed Dyreen]

But perhaps your problem has something to do with the intermittent XP bug when a FOR /F IN() clause contains an unquoted/unescaped token delimiter.

I think we can exclude that one.

Code: Select all

parent cmd /K		regular for 'unescaped'		works
yes			yes				no					
yes			no				no
no			yes				yes
no			no				yes

Although the problem arised in a for after the path included '(' and ')'. The first thing I did was test the externalCommand outside of a for to see why it was not called. The problem persisted and thus cannot be for related. The above table implies that the behavior of cmd /K is different than cmd /C.

I tried to escape spaces when trying start "" "^(t^ s^ t^).CMD", I could not find a working algorithm playing with the quotes and escapes that either did not result in a cmd crash or a messageBox telling me (t s t^).CMD could not be found but that does not mean one does not exist.

The behavior is only observed if all stated conditions are met but I found a solution that is pretty simple:
just add cmd /V:ON /C and it works as expected.

I am not sure what OS aGerman used, but if not XP then the problem does not affect just XP.