The dangerous, exquisite art of safely handing user-uploaded files: Tom Eastman (was: Does This Scare You?)
eryk sun
eryksun at gmail.com
Mon Aug 22 12:25:30 EDT 2016
On Mon, Aug 22, 2016 at 3:40 PM, Chris Angelico <rosuav at gmail.com> wrote:
> Windows has some other issues, including that arbitrary files can
> become executable very easily (eg if %PATHEXT% includes its file
> extension),
cmd uses PATHEXT to augment its search by appending each extension in
the list, in addition to searching for the exact filename. cmd will
always attempt to run any match, regardless of the extension.
You must be thinking of PowerShell, which for some reason reinterprets
how this environment variable has worked since probably OS/2 in the
late 80s. PowerShell only executes files found in PATH that have an
extension that's listed in PATHEXT.
CreateProcess checks the user's execute access in the file security,
which can prevent the execution of .BAT/.CMD files and PE executables,
regardless of extension. But ShellExecute(Ex) has an MS-DOS brain (so
much of the entire Explorer/shell32 implementation has an MS-DOS
brain; it's like they think they're still supporting Windows 9x), so
scripts and data files are always 'executable'. You get some help here
from cmd, which always tries CreateProcess, regardless of extension,
and won't continue to ShellExecuteEx if CreateProcess failed because
access was denied. PowerShell... not so much.
> and since the current directory is always at the beginning
> of your path, this can easily turn into a remote code execution
> exploit.
Since Vista, both CreateProcess and cmd.exe support the environment
variable NoDefaultCurrentDirectoryInExePath. If this is set, you have
to explicitly reference the current directory. PowerShell always
required this.
More information about the Python-list
mailing list