File tree Expand file tree Collapse file tree 2 files changed +40
-0
lines changed Expand file tree Collapse file tree 2 files changed +40
-0
lines changed Original file line number Diff line number Diff line change @@ -79,6 +79,27 @@ defmodule Port do
7979 are for advanced usage within the VM. Also consider using `System.cmd/3`
8080 if all you want is to execute a program and retrieve its return value.
8181
82+ > #### Windows argument splitting and untrusted arguments {: .warning}
83+ >
84+ > On Unix systems, arguments are passed to a new operating system
85+ > process as an array of strings but on Windows it is up to the child
86+ > process to parse them and some Windows programs may apply their own
87+ > rules, which are inconsistent with the standard C runtime `argv` parsing
88+ >
89+ > This is particularly troublesome when invoking `.bat` or `.com` files
90+ > as these run implicitly through `cmd.exe`, whose argument parsing is
91+ > vulnerable to malicious input and can be used to run arbitrary shell
92+ > commands.
93+ >
94+ > Therefore, if you are running on Windows and you execute batch
95+ > files or `.com` applications, you must not pass untrusted input as
96+ > arguments to the program. You may avoid accidentally executing them
97+ > by explicitly passing the extension of the program you want to run,
98+ > such as `.exe`, and double check the program is indeed not a batch
99+ > file or `.com` application.
100+ >
101+ > This affects both `spawn` and `spawn_executable`.
102+
82103 ### spawn
83104
84105 The `:spawn` tuple receives a binary that is going to be executed as a
Original file line number Diff line number Diff line change @@ -1005,6 +1005,25 @@ defmodule System do
10051005 `Port` module describes this problem and possible solutions under
10061006 the "Zombie processes" section.
10071007
1008+ > #### Windows argument splitting and untrusted arguments {: .warning}
1009+ >
1010+ > On Unix systems, arguments are passed to a new operating system
1011+ > process as an array of strings but on Windows it is up to the child
1012+ > process to parse them and some Windows programs may apply their own
1013+ > rules, which are inconsistent with the standard C runtime `argv` parsing
1014+ >
1015+ > This is particularly troublesome when invoking `.bat` or `.com` files
1016+ > as these run implicitly through `cmd.exe`, whose argument parsing is
1017+ > vulnerable to malicious input and can be used to run arbitrary shell
1018+ > commands.
1019+ >
1020+ > Therefore, if you are running on Windows and you execute batch
1021+ > files or `.com` applications, you must not pass untrusted input as
1022+ > arguments to the program. You may avoid accidentally executing them
1023+ > by explicitly passing the extension of the program you want to run,
1024+ > such as `.exe`, and double check the program is indeed not a batch
1025+ > file or `.com` application.
1026+
10081027 ## Examples
10091028
10101029 iex> System.cmd("echo", ["hello"])
You can’t perform that action at this time.
0 commit comments