search

mtkennerly / shawl

Windows service wrapper for arbitrary commands
MIT License
518 stars 15 forks source link

add option doesn't quote shawl executable path if started from path containing whitespace #37

Closed Bill-Stewart closed 1 year ago

Bill-Stewart commented 1 year ago

Reproduce:

  1. Create subdirectory with name containing spaces
  2. Copy shawl.exe to this subdirectory

  3. From this subdirectory, run command:

    shawl add --name test -- "C:\Program Files\Test App\testapp.exe"

Expected service command line:

   "C:\Path with Spaces\shawl.exe" run --name test -- "C:\Program Files\Test App\testapp.exe"

Actual service command line:

   C:\Path with Spaces\shawl.exe run --name test -- "C:\Program Files\Test App\testapp.exe"

If this service startup command line works (presuming testapp.exe exists in that path), then the Windows command-line parsing magic is working, but for sure security scanners will flag this as an "unquoted service path" vulnerability; e.g.: https://www.tenable.com/plugins/nessus/63155

The recommendation is to quote the executable path, thus preventing any potential exploit.

mtkennerly commented 1 year ago

Thanks for reporting this! I'll fix this up.