File tree 2 files changed +40
-0
lines changed 2 files changed +40
-0
lines changed Original file line number Diff line number Diff line change @@ -79,6 +79,27 @@ defmodule Port do
7979 are for advanced usage within the VM. Also consider using `System.cmd/3`
8080 if all you want is to execute a program and retrieve its return value.
8181
82+ > #### Windows argument splitting and untrusted arguments {: .warning}
83+ >
84+ > On Unix systems, arguments are passed to a new operating system
85+ > process as an array of strings but on Windows it is up to the child
86+ > process to parse them and some Windows programs may apply their own
87+ > rules, which are inconsistent with the standard C runtime `argv` parsing
88+ >
89+ > This is particularly troublesome when invoking `.bat` or `.com` files
90+ > as these run implicitly through `cmd.exe`, whose argument parsing is
91+ > vulnerable to malicious input and can be used to run arbitrary shell
92+ > commands.
93+ >
94+ > Therefore, if you are running on Windows and you execute batch
95+ > files or `.com` applications, you must not pass untrusted input as
96+ > arguments to the program. You may avoid accidentally executing them
97+ > by explicitly passing the extension of the program you want to run,
98+ > such as `.exe`, and double check the program is indeed not a batch
99+ > file or `.com` application.
100+ >
101+ > This affects both `spawn` and `spawn_executable`.
102+
82103 ### spawn
83104
84105 The `:spawn` tuple receives a binary that is going to be executed as a
Original file line number Diff line number Diff line change @@ -995,6 +995,25 @@ defmodule System do
995995 `Port` module describes this problem and possible solutions under
996996 the "Zombie processes" section.
997997
998+ > #### Windows argument splitting and untrusted arguments {: .warning}
999+ >
1000+ > On Unix systems, arguments are passed to a new operating system
1001+ > process as an array of strings but on Windows it is up to the child
1002+ > process to parse them and some Windows programs may apply their own
1003+ > rules, which are inconsistent with the standard C runtime `argv` parsing
1004+ >
1005+ > This is particularly troublesome when invoking `.bat` or `.com` files
1006+ > as these run implicitly through `cmd.exe`, whose argument parsing is
1007+ > vulnerable to malicious input and can be used to run arbitrary shell
1008+ > commands.
1009+ >
1010+ > Therefore, if you are running on Windows and you execute batch
1011+ > files or `.com` applications, you must not pass untrusted input as
1012+ > arguments to the program. You may avoid accidentally executing them
1013+ > by explicitly passing the extension of the program you want to run,
1014+ > such as `.exe`, and double check the program is indeed not a batch
1015+ > file or `.com` application.
1016+
9981017 ## Examples
9991018
10001019 iex> System.cmd("echo", ["hello"])
You can’t perform that action at this time.
0 commit comments