mirror of
https://github.com/gnif/LookingGlass.git
synced 2024-11-10 00:28:20 +00:00
[host] windows: avoid quoting issues with CreateProcessAsUserA
To quote MSDN documentation: > The lpApplicationName parameter can be NULL, in which case the executable > name must be the first white space–delimited string in lpCommandLine. If > the executable or path name has a space in it, there is a risk that a > different executable could be run because of the way the function parses > spaces. The following example is dangerous because the function will > attempt to run "Program.exe", if it exists, instead of "MyApp.exe". > > LPTSTR szCmdline[] = _tcsdup(TEXT("C:\\Program Files\\MyApp")); > CreateProcessAsUser(hToken, NULL, szCmdline, /*...*/ ); > > If a malicious user were to create an application called "Program.exe" on > a system, any program that incorrectly calls CreateProcessAsUser using the > Program Files directory will run this application instead of the intended > application. > > To avoid this problem, do not pass NULL for lpApplicationName. So instead, we pass the executable to lpApplicationName instead, which avoids the issue. MSDN says: > The lpCommandLine parameter can be NULL. In that case, the function uses > the string pointed to by lpApplicationName as the command line. This also avoids the strdup since lpApplicationName is LPCSTR unlike lpCommandLine which is LPSTR.
This commit is contained in:
parent
c67bacbf5b
commit
4858bb5899
@ -340,11 +340,10 @@ void Launch(void)
|
||||
.lpDesktop = "WinSta0\\Default"
|
||||
};
|
||||
|
||||
char * exe = strdup(os_getExecutable());
|
||||
if (!f_CreateProcessAsUserA(
|
||||
hToken,
|
||||
os_getExecutable(),
|
||||
NULL,
|
||||
exe,
|
||||
NULL,
|
||||
NULL,
|
||||
TRUE,
|
||||
@ -358,16 +357,13 @@ void Launch(void)
|
||||
service.running = false;
|
||||
doLog("failed to launch\n");
|
||||
winerr();
|
||||
goto fail_exe;
|
||||
goto fail_token;
|
||||
}
|
||||
|
||||
CloseHandle(pi.hThread);
|
||||
service.process = pi.hProcess;
|
||||
service.running = true;
|
||||
|
||||
fail_exe:
|
||||
free(exe);
|
||||
|
||||
fail_token:
|
||||
CloseHandle(hToken);
|
||||
}
|
||||
|
Loading…
Reference in New Issue
Block a user