BugTraq
Defense in depth -- the Microsoft way (part 23): two quotes or not to quote... Dec 13 2014 02:36PM
Stefan Kanthak (stefan kanthak nexgo de)
Hi @ll,

some Windows commands/programs fail when (one of) their
command line argument(s) is/are enclosed in quotes; for
example:

%SystemRoot%\System32\FontView.Exe "<pathname>.TTF"
%SystemRoot%\System32\FONTVIEW.Exe /P "<filename>.TTF"
%SystemRoot%\System32\RunDLL32.Exe %SystemRoot%\System32\SetupAPI.Dll,InstallHinfSection <section> <flags> "<pathname>.INF"

The failure messages shown by both commands are priceless,
they dont give the slightest hint why they fail at all.-(

JFTR: both commands support (like NOTEPAD.EXE or CreateProcess(),
see <http://msdn.microsoft.com/library/ms682425.aspx>)
"long" but unquoted file/pathnames containing spaces!

Another example:

>"%TEMP%\just a test.eml" Echo Subject: Just a test

"%ProgramFiles%\Windows Mail\WinMail.Exe" /EML:"%TEMP%\just a test.eml"
"%ProgramFiles%\Windows Mail\WinMail.Exe" /ForwardEML:"%TEMP%\just a test.eml"
"%ProgramFiles%\Windows Mail\WinMail.Exe" /ReplyEML:"%TEMP%\just a test.eml"
"%ProgramFiles%\Windows Mail\WinMail.Exe" /ReplyAllEML:"%TEMP%\just a test.eml"

>"%TEMP%\just a test.nws" Echo Subject: Just a test

"%ProgramFiles%\Windows Mail\WinMail.Exe" /NWS:"%TEMP%\just a test.nws"
"%ProgramFiles%\Windows Mail\WinMail.Exe" /ForwardNWS:"%TEMP%\just a test.nws"
"%ProgramFiles%\Windows Mail\WinMail.Exe" /ReplyNWS:"%TEMP%\just a test.nws"
"%ProgramFiles%\Windows Mail\WinMail.Exe" /ReplyAllNWS:"%TEMP%\just a test.nws"

show the error message

"The File ""...\just a test.eml"" could not be opened because it does
not exist or is being used by another application. (0x800CCF65, 123)"

At least this message gives a very slight hint: the Win32 error '123'
alias ERROR_INVALID_NAME is
"The filename, directory name, or volume label syntax is incorrect";
see <http://msdn.microsoft.com/library/ms681382.aspx> or run
NET.EXE HelpMsg 123

Again, same as above: this program works when the argument is not
quoted, despite the "long" pathname containing spaces:

"%ProgramFiles%\Windows Mail\WinMail.Exe" /EML:%TEMP%\just a test.eml
"%ProgramFiles%\Windows Mail\WinMail.Exe" /NWS:%TEMP%\just a test.nws

BUT:
"%ProgramFiles%\Windows Mail\WinMail.Exe" /MailURL:"mailto:mailbox (at) example (dot) com [email concealed]?subject=..."
"%ProgramFiles%\Windows Mail\WinMail.Exe" /NewsURL:"mailto:mailbox (at) example (dot) com [email concealed]?subject=..."
both work with a quoted argument!

JFTR: if you dont have "Windows Mail", but "Windows Live Mail" or
"Outlook Express": they too show the same inconsistent and
surprising behaviour.

I have not checked whether "Outlook" has the same bug, but
I'm confident it has.-(

WTF?
Microsoft, can't you afford a QA?

And one more:

the "AppInit_DLLs" registry entry
(see <https://support.microsoft.com/kb/197571> as well as
<https://msdn.microsoft.com/library/dd744762.aspx>).

JFTR: although AppInit_DLLs are only supported on Windows NT
(see <https://support.microsoft.com/kb/134655>) a braindead
developer choose not to use a REG_MULTI_SZ value (avoiding
the need to interpret spaces as separator and thus supporting
"long" filenames).

have fun
Stefan Kanthak

[ reply ]


 

Privacy Statement
Copyright 2010, SecurityFocus