>> What I see as "root cause", is ... Windows ... may parse and re-parse >> a command an unspecified number of times. Compared to Unix, it confuses >> system(3) with execl(3). ... >> A number of similar issues would be solved if Windows would respect the >> "command with one argument" setting, parsing the registry key just once. > > You cannot compare them, Windows [has] ShellExecute and CreateProcess ... > In this particular case, I have to reluctantly agree with Microsoft, due > to my "output side bears the burden of validation" doctrine. ... > ... you should perform normalization or validation before passing a > command string to a function that is designed and documented to invoke > arbitrary programs in arbitrary ways, *not* safely execute an URI ...
Windows already does special %-decoding to URL protocol handlers as per http://msdn2.microsoft.com/en-us/library/aa767914.aspx (whereas I do not think it does that to most other application launch registry keys). It should also protect blanks and quote characters, and anything else that could upset or confuse later processing. Cheers, Paul Szabo [EMAIL PROTECTED] http://www.maths.usyd.edu.au/u/psz/ School of Mathematics and Statistics University of Sydney Australia _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
