[host] windows: avoid quoting issues with CreateProcessAsUserA

To quote MSDN documentation:

> The lpApplicationName parameter can be NULL, in which case the executable
> name must be the first white space–delimited string in lpCommandLine. If
> the executable or path name has a space in it, there is a risk that a
> different executable could be run because of the way the function parses
> spaces. The following example is dangerous because the function will
> attempt to run "Program.exe", if it exists, instead of "MyApp.exe".
>
>   LPTSTR szCmdline[] = _tcsdup(TEXT("C:\\Program Files\\MyApp"));
>   CreateProcessAsUser(hToken, NULL, szCmdline, /*...*/ );
>
> If a malicious user were to create an application called "Program.exe" on
> a system, any program that incorrectly calls CreateProcessAsUser using the
> Program Files directory will run this application instead of the intended
> application.
>
> To avoid this problem, do not pass NULL for lpApplicationName.

So instead, we pass the executable to lpApplicationName instead, which avoids
the issue. MSDN says:

> The lpCommandLine parameter can be NULL. In that case, the function uses
> the string pointed to by lpApplicationName as the command line.

This also avoids the strdup since lpApplicationName is LPCSTR unlike
lpCommandLine which is LPSTR.
This commit is contained in:
Quantum 2021-01-15 18:34:29 -05:00 committed by Geoffrey McRae
parent c67bacbf5b
commit 4858bb5899

View File

@ -340,11 +340,10 @@ void Launch(void)
.lpDesktop = "WinSta0\\Default"
};
char * exe = strdup(os_getExecutable());
if (!f_CreateProcessAsUserA(
hToken,
os_getExecutable(),
NULL,
exe,
NULL,
NULL,
TRUE,
@ -358,16 +357,13 @@ void Launch(void)
service.running = false;
doLog("failed to launch\n");
winerr();
goto fail_exe;
goto fail_token;
}
CloseHandle(pi.hThread);
service.process = pi.hProcess;
service.running = true;
fail_exe:
free(exe);
fail_token:
CloseHandle(hToken);
}