Security bug in ShellExecuteEx()
Francois Gouget
fgouget at codeweavers.com
Fri Apr 9 10:15:49 CDT 2004
Hi Micheal,
Michael Stefaniuc wrote:
> Hello,
>
> On Fri, Apr 09, 2004 at 02:14:10AM +0200, Francois Gouget wrote:
>
>>Index: dlls/shell32/shlexec.c
>>===================================================================
>>RCS file: /var/cvs/wine/dlls/shell32/shlexec.c,v
>>retrieving revision 1.40
>>diff -u -r1.40 shlexec.c
>>--- a/dlls/shell32/shlexec.c 7 Apr 2004 03:49:51 -0000 1.40
>>+++ b/dlls/shell32/shlexec.c 8 Apr 2004 23:12:53 -0000
>>@@ -1114,10 +1126,6 @@
>> strcatW(wszApplicationName, wszCommandline);
>> }
>>
>>- retval = execfunc(wszApplicationName, NULL, FALSE, &sei_tmp, sei);
>>- if (retval > 32)
>>- return TRUE;
>>-
>> /* Else, try to find the executable */
>
> ^^^^^ You may want to remove this because it refers to the
Well, it's actually worst than that. Just before we have this code:
if (wszCommandline[0]) {
strcatW(wszApplicationName, wSpace);
strcatW(wszApplicationName, wszCommandline);
}
...
/* Else, try to find the executable */
Now if you missed the beginning of ShellExecuteEx32() you would not
suspect this but wszApplicationName is the same as sei_tmp.lpFile. So
the above code, which was already there, would clobber sei_tmp.lpFile
whenever wszCommandline (i.e. in fact sei_tmp.lpParameters) is not
empty. This could probably cause ShellExecuteEx to fail in some
mysterious circumstances.
Now, besides the non-obvious naming scheme, this code is further muddled
by the fact that sometimes wszCommandline is used as a 1024 character
temporary buffer, and by the fact that sei_tmp.lpParameters and
wszCommandline are used interchangeably.
So I'll wait till the original patch is committed and then I'll submit a
new patch which cleans up the above issues.
There's something else that seems wrong: the code that handles the
lpIDList does:
/* process the IDList */
if (sei_tmp.fMask & SEE_MASK_IDLIST)
{
...
wszApplicationName[0] = '"';
SHGetPathFromIDListW(sei_tmp.lpIDList, wszApplicationName+1);
strcatW(wszApplicationName, wQuote);
}
So we end up with a wszApplicationName (i.e. an sei_tmp.lpFile) which is
quoted. Now as I have found out this does not work which is why I remove
the quotes... a bit before.
So has this lpIDList code been tested? Does it work and if yes how come
ShellExecute("\"notepad.exe\"") didn't?
--
Francois Gouget
fgouget at codeweavers.com
More information about the wine-devel
mailing list