[svn.haxx.se] · SVN Dev · SVN Users · SVN Org · TSVN Dev · TSVN Users · Subclipse Dev · Subclipse Users · this month's index

Re: CreateProcess() calls should quote the executable they are trying to start.

From: Stefan Küng <tortoisesvn_at_gmail.com>
Date: Sat, 23 Jun 2012 16:09:21 +0200

On 23.06.2012 14:17, Jurko Gospodnetić wrote:
> Hi.
>
> A slight quirk I ran into by accident while looking for a similar
> problem in a different software product - TortoiseSVN's CreateProcess()
> Windows API calls should quote their executable path, at least in cases
> when it contains spaces.
>
> This avoids problems with unexpected executables getting triggered.
>
> To see one such potential problem do the following:
> * Have your TortoiseProc.exe located in "C:\Program
> Files\TortoiseSVN\bin".
> * Create a simple hello world program and store it as:
> "C:\Program.exe".
> * Open TortoiseSVN's AboutBox dialog.
> * Click on the 'Check For Updates..." button.
>
> And you will now see the hello hello world program flash by instead
> of the expected update check. :-)
>
> The problem originates with CreateProcess() trying to be overly smart
> and trying to guess whether perhaps you gave it an unquoted executable
> path/name containing spaces if it can not find it directly, effectively
> covering this problem up and allowing someone to modify TortoiseSVN's
> behaviour just by adding a new file in the system.
>
> For this exact use case the command-line seems to be constructed in
> src\TortoiseProc\AboutDlg.cpp by simply using an unquoted
> GetModuleFileName() result.

I already know about the problem, that's why in most places in our code
the paths are quoted if necessary (also if not really necessary).
But you're right, there are still a few places left where quotes are
missing. I'll try to find them all now and fix this.

Note: CreateProcess only does this guessing if you leave the first
parameter as NULL. If you specify the path to the exe as the first
parameter and the command line as the second one, then the first path
must not (yes, must not - if you do the function call will fail) be
enquoted even if it contains spaces. Only if the exe path is passed as
part of the second parameter to CreateProcess, then you have to enquote
the paths.

Stefan

-- 
        ___
   oo  // \\      "De Chelonian Mobile"
  (_,\/ \_/ \     TortoiseSVN
    \ \_/_\_/>    The coolest Interface to (Sub)Version Control
    /_/   \_\     http://tortoisesvn.net
------------------------------------------------------
http://tortoisesvn.tigris.org/ds/viewMessage.do?dsForumId=757&dsMessageId=2972776
To unsubscribe from this discussion, e-mail: [dev-unsubscribe_at_tortoisesvn.tigris.org].
Received on 2012-06-23 16:09:40 CEST

This is an archived mail posted to the TortoiseSVN Dev mailing list.