-
Notifications
You must be signed in to change notification settings - Fork 13k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Windows: Resolve process::Command
program without using the current directory
#87704
Conversation
r? @dtolnay (rust-highfive has picked a reviewer for you, use r? to override) |
a804554
to
f919c12
Compare
f919c12
to
75dae96
Compare
This comment has been minimized.
This comment has been minimized.
This comment has been minimized.
This comment has been minimized.
This comment has been minimized.
This comment has been minimized.
This comment has been minimized.
This comment has been minimized.
☔ The latest upstream changes (presumably #87963) made this pull request unmergeable. Please resolve the merge conflicts. |
5410b28
to
bbe9647
Compare
process::Command
program using only the PATH
process::Command
program without using the current directory
As mentioned in #87945, I've changed this PR to only remove the current directory. This allows focusing on the most pressing issue and avoids conflating separate issues. I've also made sure to otherwise maintain much of the existing behaviour, including the running of
Not documented is that I would recommend that users should not rely on this being maintained. It's undocumented (or anti-documented?) and a bit strange. Instead it would be better to do as the docs suggest and run |
@rustbot ping windows Could some of you take a look at #87704 (comment) and sanity check whether the changed behavior is what developers should expect on your platform? |
Hey Windows Group! This bug has been identified as a good "Windows candidate". cc @arlosi @danielframpton @gdr-at-ms @kennykerr @luqmana @lzybkr @nico-abram @retep998 @rylev @sivadeilra @wesleywiser |
Unfortunately, the directory from which the application loaded isn't a secure option, either. If someone has a self-installing executable that's downloaded into a temporary directory or downloads directory, it isn't safe to execute programs from that directory. This behavior, except with DLLs, is the cause of a large number of security vulnerabilities. My preference is that we don't have implicit behavior. It makes it difficult to reason about the behavior of Rust programs across existing systems, especially for programmers like me who do not normally target Windows. For example, a Rust program working in a MINGW environment may want the MINGW |
I agree that I would rather avoid all implicit behaviours and only search A "half way" option would be to reorder the search paths to give higher priority to the parent's PATH. This is not ideal but it would at least mitigate some of the issues you mention. |
I appreciate that it's difficult to make the change to use only PATH due to the risk of breakage. However, that is the documented behavior, and it's the only behavior that people can safely rely on. In the most technical sense, the current behavior is a bug since it doesn't conform to the documentation. Doing a half-way approach means that Rust will continue to have a security vulnerability and it will continue to be unsafe to write cross-platform code with Rust. It would be better to just change things to do what the documentation says and make the change once so that users don't have to deal with any future changes here. |
☔ The latest upstream changes (presumably #87329) made this pull request unmergeable. Please resolve the merge conflicts. |
I think this is a change we should make. Doing the search ourselves and removing the current directory is an important security fix. We should call attention to this in the release notes, and give people plenty of time to notice issues. @rfcbot merge |
Team member @joshtriplett has proposed to merge this. The next step is review by the rest of the tagged team members: No concerns currently listed. Once a majority of reviewers approve (and at most 2 approvals are outstanding), this will enter its final comment period. If you spot a major issue that hasn't been raised at any point in this process, please speak up! See this document for info about what commands tagged team members can give me. |
Match any error when failing to find executables For Windows targets, Rust now uses [a custom resolver](rust-lang/rust#87704) to find `process::Command` programs. This has caused some error messages to change. To allow the PR to be merged, some tests have been adjusted to match any error. cc `@ehuss`
Is anyone available to do retry bors now that #90991 has landed? |
@bors retry |
☀️ Test successful - checks-actions |
Finished benchmarking commit (2885c47): comparison url. Summary: This benchmark run did not return any relevant changes. If you disagree with this performance assessment, please file an issue in rust-lang/rustc-perf. @rustbot label: -perf-regression |
Pkgsrc changes: * Bump available bootstraps to 1.57.0. * For some reason, the vendor/libc checksums don't need fixing. * Bump required external LLVM to 12.0, according to upstream change log. * Adapt the Darwin linker patch. (For some reason I've not figured out yet, cargo is a lot more verbose while building, echoes the rustc invocation.) Upstream changes: Version 1.58.1 (2022-01-19) =========================== * Fix race condition in `std::fs::remove_dir_all` ([CVE-2022-21658]) * [Handle captured arguments in the `useless_format` Clippy lint][clippy/8295] * [Move `non_send_fields_in_send_ty` Clippy lint to nursery][clippy/8075] * [Fix wrong error message displayed when some imports are missing][91254] * [Fix rustfmt not formatting generated files from stdin][92912] [CVE-2022-21658]: https://www.cve.org/CVERecord?id=CVE-2022-21658] [91254]: rust-lang/rust#91254 [92912]: rust-lang/rust#92912 [clippy/8075]: rust-lang/rust-clippy#8075 [clippy/8295]: rust-lang/rust-clippy#8295 Version 1.58.0 (2022-01-13) ========================== Language -------- - [Format strings can now capture arguments simply by writing `{ident}` in the string.][90473] This works in all macros accepting format strings. Support for this in `panic!` (`panic!("{ident}")`) requires the 2021 edition; panic invocations in previous editions that appear to be trying to use this will result in a warning lint about not having the intended effect. - [`*const T` pointers can now be dereferenced in const contexts.][89551] - [The rules for when a generic struct implements `Unsize` have been relaxed.][90417] Compiler -------- - [Add LLVM CFI support to the Rust compiler][89652] - [Stabilize -Z strip as -C strip][90058]. Note that while release builds already don't add debug symbols for the code you compile, the compiled standard library that ships with Rust includes debug symbols, so you may want to use the `strip` option to remove these symbols to produce smaller release binaries. Note that this release only includes support in rustc, not directly in cargo. - [Add support for LLVM coverage mapping format versions 5 and 6][91207] - [Emit LLVM optimization remarks when enabled with `-Cremark`][90833] - [Update the minimum external LLVM to 12][90175] - [Add `x86_64-unknown-none` at Tier 3*][89062] - [Build musl dist artifacts with debuginfo enabled][90733]. When building release binaries using musl, you may want to use the newly stabilized strip option to remove these debug symbols, reducing the size of your binaries. - [Don't abort compilation after giving a lint error][87337] - [Error messages point at the source of trait bound obligations in more places][89580] \* Refer to Rust's [platform support page][platform-support-doc] for more information on Rust's tiered platform support. Libraries --------- - [All remaining functions in the standard library have `#[must_use]` annotations where appropriate][89692], producing a warning when ignoring their return value. This helps catch mistakes such as expecting a function to mutate a value in place rather than return a new value. - [Paths are automatically canonicalized on Windows for operations that support it][89174] - [Re-enable debug checks for `copy` and `copy_nonoverlapping`][90041] - [Implement `RefUnwindSafe` for `Rc<T>`][87467] - [Make RSplit<T, P>: Clone not require T: Clone][90117] - [Implement `Termination` for `Result<Infallible, E>`][88601]. This allows writing `fn main() -> Result<Infallible, ErrorType>`, for a program whose successful exits never involve returning from `main` (for instance, a program that calls `exit`, or that uses `exec` to run another program). Stabilized APIs --------------- - [`Metadata::is_symlink`] - [`Path::is_symlink`] - [`{integer}::saturating_div`] - [`Option::unwrap_unchecked`] - [`Result::unwrap_unchecked`] - [`Result::unwrap_err_unchecked`] - [`NonZero{unsigned}::is_power_of_two`] - [`File::options`] These APIs are now usable in const contexts: - [`Duration::new`] - [`Duration::checked_add`] - [`Duration::saturating_add`] - [`Duration::checked_sub`] - [`Duration::saturating_sub`] - [`Duration::checked_mul`] - [`Duration::saturating_mul`] - [`Duration::checked_div`] - [`MaybeUninit::as_ptr`] - [`MaybeUninit::as_mut_ptr`] - [`MaybeUninit::assume_init`] - [`MaybeUninit::assume_init_ref`] Cargo ----- - [Add --message-format for install command][cargo/10107] - [Warn when alias shadows external subcommand][cargo/10082] Rustdoc ------- - [Show all Deref implementations recursively in rustdoc][90183] - [Use computed visibility in rustdoc][88447] Compatibility Notes ------------------- - [Try all stable method candidates first before trying unstable ones][90329]. This change ensures that adding new nightly-only methods to the Rust standard library will not break code invoking methods of the same name from traits outside the standard library. - Windows: [`std::process::Command` will no longer search the current directory for executables.][87704] - [All proc-macro backward-compatibility lints are now deny-by-default.][88041] - [proc_macro: Append .0 to unsuffixed float if it would otherwise become int token][90297] - [Refactor weak symbols in std::sys::unix][90846]. This optimizes accesses to glibc functions, by avoiding the use of dlopen. This does not increase the [minimum expected version of glibc](https://doc.rust-lang.org/nightly/rustc/platform-support.html). However, software distributions that use symbol versions to detect library dependencies, and which take weak symbols into account in that analysis, may detect rust binaries as requiring newer versions of glibc. - [rustdoc now rejects some unexpected semicolons in doctests][91026] Internal Changes ---------------- These changes provide no direct user facing benefits, but represent significant improvements to the internals and overall performance of rustc and related tools. - [Implement coherence checks for negative trait impls][90104] - [Add rustc lint, warning when iterating over hashmaps][89558] - [Optimize live point computation][90491] - [Enable verification for 1/32nd of queries loaded from disk][90361] - [Implement version of normalize_erasing_regions that allows for normalization failure][91255] [87337]: rust-lang/rust#87337 [87467]: rust-lang/rust#87467 [87704]: rust-lang/rust#87704 [88041]: rust-lang/rust#88041 [88300]: rust-lang/rust#88300 [88447]: rust-lang/rust#88447 [88601]: rust-lang/rust#88601 [88624]: rust-lang/rust#88624 [89062]: rust-lang/rust#89062 [89174]: rust-lang/rust#89174 [89542]: rust-lang/rust#89542 [89551]: rust-lang/rust#89551 [89558]: rust-lang/rust#89558 [89580]: rust-lang/rust#89580 [89652]: rust-lang/rust#89652 [89677]: rust-lang/rust#89677 [89951]: rust-lang/rust#89951 [90041]: rust-lang/rust#90041 [90058]: rust-lang/rust#90058 [90104]: rust-lang/rust#90104 [90117]: rust-lang/rust#90117 [90175]: rust-lang/rust#90175 [90183]: rust-lang/rust#90183 [90297]: rust-lang/rust#90297 [90329]: rust-lang/rust#90329 [90361]: rust-lang/rust#90361 [90417]: rust-lang/rust#90417 [90473]: rust-lang/rust#90473 [90491]: rust-lang/rust#90491 [90733]: rust-lang/rust#90733 [90833]: rust-lang/rust#90833 [90846]: rust-lang/rust#90846 [90896]: rust-lang/rust#90896 [91026]: rust-lang/rust#91026 [91207]: rust-lang/rust#91207 [91255]: rust-lang/rust#91255 [91301]: rust-lang/rust#91301 [cargo/10082]: rust-lang/cargo#10082 [cargo/10107]: rust-lang/cargo#10107 [`Metadata::is_symlink`]: https://doc.rust-lang.org/stable/std/fs/struct.Metadata.html#method.is_symlink [`Path::is_symlink`]: https://doc.rust-lang.org/stable/std/path/struct.Path.html#method.is_symlink [`{integer}::saturating_div`]: https://doc.rust-lang.org/stable/std/primitive.i8.html#method.saturating_div [`Option::unwrap_unchecked`]: https://doc.rust-lang.org/stable/std/option/enum.Option.html#method.unwrap_unchecked [`Result::unwrap_unchecked`]: https://doc.rust-lang.org/stable/std/result/enum.Result.html#method.unwrap_unchecked [`Result::unwrap_err_unchecked`]: https://doc.rust-lang.org/stable/std/result/enum.Result.html#method.unwrap_err_unchecked [`NonZero{unsigned}::is_power_of_two`]: https://doc.rust-lang.org/stable/std/num/struct.NonZeroU8.html#method.is_power_of_two [`File::options`]: https://doc.rust-lang.org/stable/std/fs/struct.File.html#method.options [`unix::process::ExitStatusExt::core_dumped`]: https://doc.rust-lang.org/stable/std/os/unix/process/trait.ExitStatusExt.html#tymethod.core_dumped [`unix::process::ExitStatusExt::stopped_signal`]: https://doc.rust-lang.org/stable/std/os/unix/process/trait.ExitStatusExt.html#tymethod.stopped_signal [`unix::process::ExitStatusExt::continued`]: https://doc.rust-lang.org/stable/std/os/unix/process/trait.ExitStatusExt.html#tymethod.continued [`unix::process::ExitStatusExt::into_raw`]: https://doc.rust-lang.org/stable/std/os/unix/process/trait.ExitStatusExt.html#tymethod.into_raw [`Duration::new`]: https://doc.rust-lang.org/stable/std/time/struct.Duration.html#method.new [`Duration::checked_add`]: https://doc.rust-lang.org/stable/std/time/struct.Duration.html#method.checked_add [`Duration::saturating_add`]: https://doc.rust-lang.org/stable/std/time/struct.Duration.html#method.saturating_add [`Duration::checked_sub`]: https://doc.rust-lang.org/stable/std/time/struct.Duration.html#method.checked_sub [`Duration::saturating_sub`]: https://doc.rust-lang.org/stable/std/time/struct.Duration.html#method.saturating_sub [`Duration::checked_mul`]: https://doc.rust-lang.org/stable/std/time/struct.Duration.html#method.checked_mul [`Duration::saturating_mul`]: https://doc.rust-lang.org/stable/std/time/struct.Duration.html#method.saturating_mul [`Duration::checked_div`]: https://doc.rust-lang.org/stable/std/time/struct.Duration.html#method.checked_div [`Duration::as_secs_f64`]: https://doc.rust-lang.org/stable/std/time/struct.Duration.html#method.as_secs_f64 [`Duration::as_secs_f32`]: https://doc.rust-lang.org/stable/std/time/struct.Duration.html#method.as_secs_f32 [`Duration::from_secs_f64`]: https://doc.rust-lang.org/stable/std/time/struct.Duration.html#method.from_secs_f64 [`Duration::from_secs_f32`]: https://doc.rust-lang.org/stable/std/time/struct.Duration.html#method.from_secs_f32 [`Duration::mul_f64`]: https://doc.rust-lang.org/stable/std/time/struct.Duration.html#method.mul_f64 [`Duration::mul_f32`]: https://doc.rust-lang.org/stable/std/time/struct.Duration.html#method.mul_f32 [`Duration::div_f64`]: https://doc.rust-lang.org/stable/std/time/struct.Duration.html#method.div_f64 [`Duration::div_f32`]: https://doc.rust-lang.org/stable/std/time/struct.Duration.html#method.div_f32 [`Duration::div_duration_f64`]: https://doc.rust-lang.org/stable/std/time/struct.Duration.html#method.div_duration_f64 [`Duration::div_duration_f32`]: https://doc.rust-lang.org/stable/std/time/struct.Duration.html#method.div_duration_f32 [`MaybeUninit::as_ptr`]: https://doc.rust-lang.org/stable/std/mem/union.MaybeUninit.html#method.as_ptr [`MaybeUninit::as_mut_ptr`]: https://doc.rust-lang.org/stable/std/mem/union.MaybeUninit.html#method.as_mut_ptr [`MaybeUninit::assume_init`]: https://doc.rust-lang.org/stable/std/mem/union.MaybeUninit.html#method.assume_init [`MaybeUninit::assume_init_ref`]: https://doc.rust-lang.org/stable/std/mem/union.MaybeUninit.html#method.assume_init_ref
…=m-ou-se Maintain broken symlink behaviour for the Windows exe resolver When the resolver was updated to remove the current directory from the search path (see rust-lang#87704), care was take to avoid unintentional changes that hadn't been discussed. However, I missed the broken symlink behaviour. This PR fixes that. **Edit** This turned out to be more important than I first realised. There are some types of application stubs that will redirect to the actual process when run using `CreateProcessW`, but due to the way they're implemented they cannot be opened normally using a `File::open` that follows reparse points. So this doesn't work with our current `exists` and `try_exists` methods. Fixes rust-lang#91177
Pkgsrc changes: * Bump bootstrap kit version to 1.57.0. * Bump require external LLVM to 12.0, according to upstream change log. * Adjust patches as needed, adjust line numbers. * Update checksum adjustments. For some reason the vendor/libc checksum doesn't need fixing, apparently, it remains as commented out. * Add makefile to do all the NetBSD boostrap/cross builds (do-cross.mk). Allow passing in additions to CONFIGURE_ARGS via ADD_CONFIGURE_ARGS. Upstream changes: Version 1.58.1 (2022-01-19) =========================== * Fix race condition in `std::fs::remove_dir_all` ([CVE-2022-21658]) * [Handle captured arguments in the `useless_format` Clippy lint][clippy/8295] * [Move `non_send_fields_in_send_ty` Clippy lint to nursery][clippy/8075] * [Fix wrong error message displayed when some imports are missing][91254] * [Fix rustfmt not formatting generated files from stdin][92912] [CVE-2022-21658]: https://www.cve.org/CVERecord?id=CVE-2022-21658] [91254]: rust-lang/rust#91254 [92912]: rust-lang/rust#92912 [clippy/8075]: rust-lang/rust-clippy#8075 [clippy/8295]: rust-lang/rust-clippy#8295 Version 1.58.0 (2022-01-13) ========================== Language -------- - [Format strings can now capture arguments simply by writing `{ident}` in the string.][90473] This works in all macros accepting format strings. Support for this in `panic!` (`panic!("{ident}")`) requires the 2021 edition; panic invocations in previous editions that appear to be trying to use this will result in a warning lint about not having the intended effect. - [`*const T` pointers can now be dereferenced in const contexts.][89551] - [The rules for when a generic struct implements `Unsize` have been relaxed.][90417] Compiler -------- - [Add LLVM CFI support to the Rust compiler][89652] - [Stabilize -Z strip as -C strip][90058]. Note that while release builds already don't add debug symbols for the code you compile, the compiled standard library that ships with Rust includes debug symbols, so you may want to use the `strip` option to remove these symbols to produce smaller release binaries. Note that this release only includes support in rustc, not directly in cargo. - [Add support for LLVM coverage mapping format versions 5 and 6][91207] - [Emit LLVM optimization remarks when enabled with `-Cremark`][90833] - [Update the minimum external LLVM to 12][90175] - [Add `x86_64-unknown-none` at Tier 3*][89062] - [Build musl dist artifacts with debuginfo enabled][90733]. When building release binaries using musl, you may want to use the newly stabilized strip option to remove these debug symbols, reducing the size of your binaries. - [Don't abort compilation after giving a lint error][87337] - [Error messages point at the source of trait bound obligations in more places][89580] \* Refer to Rust's [platform support page][platform-support-doc] for more information on Rust's tiered platform support. Libraries --------- - [All remaining functions in the standard library have `#[must_use]` annotations where appropriate][89692], producing a warning when ignoring their return value. This helps catch mistakes such as expecting a function to mutate a value in place rather than return a new value. - [Paths are automatically canonicalized on Windows for operations that support it][89174] - [Re-enable debug checks for `copy` and `copy_nonoverlapping`][90041] - [Implement `RefUnwindSafe` for `Rc<T>`][87467] - [Make RSplit<T, P>: Clone not require T: Clone][90117] - [Implement `Termination` for `Result<Infallible, E>`][88601]. This allows writing `fn main() -> Result<Infallible, ErrorType>`, for a program whose successful exits never involve returning from `main` (for instance, a program that calls `exit`, or that uses `exec` to run another program). Stabilized APIs --------------- - [`Metadata::is_symlink`] - [`Path::is_symlink`] - [`{integer}::saturating_div`] - [`Option::unwrap_unchecked`] - [`Result::unwrap_unchecked`] - [`Result::unwrap_err_unchecked`] - [`NonZero{unsigned}::is_power_of_two`] - [`File::options`] These APIs are now usable in const contexts: - [`Duration::new`] - [`Duration::checked_add`] - [`Duration::saturating_add`] - [`Duration::checked_sub`] - [`Duration::saturating_sub`] - [`Duration::checked_mul`] - [`Duration::saturating_mul`] - [`Duration::checked_div`] - [`MaybeUninit::as_ptr`] - [`MaybeUninit::as_mut_ptr`] - [`MaybeUninit::assume_init`] - [`MaybeUninit::assume_init_ref`] Cargo ----- - [Add --message-format for install command][cargo/10107] - [Warn when alias shadows external subcommand][cargo/10082] Rustdoc ------- - [Show all Deref implementations recursively in rustdoc][90183] - [Use computed visibility in rustdoc][88447] Compatibility Notes ------------------- - [Try all stable method candidates first before trying unstable ones][90329]. This change ensures that adding new nightly-only methods to the Rust standard library will not break code invoking methods of the same name from traits outside the standard library. - Windows: [`std::process::Command` will no longer search the current directory for executables.][87704] - [All proc-macro backward-compatibility lints are now deny-by-default.][88041] - [proc_macro: Append .0 to unsuffixed float if it would otherwise become int token][90297] - [Refactor weak symbols in std::sys::unix][90846]. This optimizes accesses to glibc functions, by avoiding the use of dlopen. This does not increase the [minimum expected version of glibc](https://doc.rust-lang.org/nightly/rustc/platform-support.html). However, software distributions that use symbol versions to detect library dependencies, and which take weak symbols into account in that analysis, may detect rust binaries as requiring newer versions of glibc. - [rustdoc now rejects some unexpected semicolons in doctests][91026] Internal Changes ---------------- These changes provide no direct user facing benefits, but represent significant improvements to the internals and overall performance of rustc and related tools. - [Implement coherence checks for negative trait impls][90104] - [Add rustc lint, warning when iterating over hashmaps][89558] - [Optimize live point computation][90491] - [Enable verification for 1/32nd of queries loaded from disk][90361] - [Implement version of normalize_erasing_regions that allows for normalization failure][91255] [87337]: rust-lang/rust#87337 [87467]: rust-lang/rust#87467 [87704]: rust-lang/rust#87704 [88041]: rust-lang/rust#88041 [88300]: rust-lang/rust#88300 [88447]: rust-lang/rust#88447 [88601]: rust-lang/rust#88601 [88624]: rust-lang/rust#88624 [89062]: rust-lang/rust#89062 [89174]: rust-lang/rust#89174 [89542]: rust-lang/rust#89542 [89551]: rust-lang/rust#89551 [89558]: rust-lang/rust#89558 [89580]: rust-lang/rust#89580 [89652]: rust-lang/rust#89652 [89677]: rust-lang/rust#89677 [89951]: rust-lang/rust#89951 [90041]: rust-lang/rust#90041 [90058]: rust-lang/rust#90058 [90104]: rust-lang/rust#90104 [90117]: rust-lang/rust#90117 [90175]: rust-lang/rust#90175 [90183]: rust-lang/rust#90183 [90297]: rust-lang/rust#90297 [90329]: rust-lang/rust#90329 [90361]: rust-lang/rust#90361 [90417]: rust-lang/rust#90417 [90473]: rust-lang/rust#90473 [90491]: rust-lang/rust#90491 [90733]: rust-lang/rust#90733 [90833]: rust-lang/rust#90833 [90846]: rust-lang/rust#90846 [90896]: rust-lang/rust#90896 [91026]: rust-lang/rust#91026 [91207]: rust-lang/rust#91207 [91255]: rust-lang/rust#91255 [91301]: rust-lang/rust#91301 [cargo/10082]: rust-lang/cargo#10082 [cargo/10107]: rust-lang/cargo#10107 [`Metadata::is_symlink`]: https://doc.rust-lang.org/stable/std/fs/struct.Metadata.html#method.is_symlink [`Path::is_symlink`]: https://doc.rust-lang.org/stable/std/path/struct.Path.html#method.is_symlink [`{integer}::saturating_div`]: https://doc.rust-lang.org/stable/std/primitive.i8.html#method.saturating_div [`Option::unwrap_unchecked`]: https://doc.rust-lang.org/stable/std/option/enum.Option.html#method.unwrap_unchecked [`Result::unwrap_unchecked`]: https://doc.rust-lang.org/stable/std/result/enum.Result.html#method.unwrap_unchecked [`Result::unwrap_err_unchecked`]: https://doc.rust-lang.org/stable/std/result/enum.Result.html#method.unwrap_err_unchecked [`NonZero{unsigned}::is_power_of_two`]: https://doc.rust-lang.org/stable/std/num/struct.NonZeroU8.html#method.is_power_of_two [`File::options`]: https://doc.rust-lang.org/stable/std/fs/struct.File.html#method.options [`unix::process::ExitStatusExt::core_dumped`]: https://doc.rust-lang.org/stable/std/os/unix/process/trait.ExitStatusExt.html#tymethod.core_dumped [`unix::process::ExitStatusExt::stopped_signal`]: https://doc.rust-lang.org/stable/std/os/unix/process/trait.ExitStatusExt.html#tymethod.stopped_signal [`unix::process::ExitStatusExt::continued`]: https://doc.rust-lang.org/stable/std/os/unix/process/trait.ExitStatusExt.html#tymethod.continued [`unix::process::ExitStatusExt::into_raw`]: https://doc.rust-lang.org/stable/std/os/unix/process/trait.ExitStatusExt.html#tymethod.into_raw [`Duration::new`]: https://doc.rust-lang.org/stable/std/time/struct.Duration.html#method.new [`Duration::checked_add`]: https://doc.rust-lang.org/stable/std/time/struct.Duration.html#method.checked_add [`Duration::saturating_add`]: https://doc.rust-lang.org/stable/std/time/struct.Duration.html#method.saturating_add [`Duration::checked_sub`]: https://doc.rust-lang.org/stable/std/time/struct.Duration.html#method.checked_sub [`Duration::saturating_sub`]: https://doc.rust-lang.org/stable/std/time/struct.Duration.html#method.saturating_sub [`Duration::checked_mul`]: https://doc.rust-lang.org/stable/std/time/struct.Duration.html#method.checked_mul [`Duration::saturating_mul`]: https://doc.rust-lang.org/stable/std/time/struct.Duration.html#method.saturating_mul [`Duration::checked_div`]: https://doc.rust-lang.org/stable/std/time/struct.Duration.html#method.checked_div [`Duration::as_secs_f64`]: https://doc.rust-lang.org/stable/std/time/struct.Duration.html#method.as_secs_f64 [`Duration::as_secs_f32`]: https://doc.rust-lang.org/stable/std/time/struct.Duration.html#method.as_secs_f32 [`Duration::from_secs_f64`]: https://doc.rust-lang.org/stable/std/time/struct.Duration.html#method.from_secs_f64 [`Duration::from_secs_f32`]: https://doc.rust-lang.org/stable/std/time/struct.Duration.html#method.from_secs_f32 [`Duration::mul_f64`]: https://doc.rust-lang.org/stable/std/time/struct.Duration.html#method.mul_f64 [`Duration::mul_f32`]: https://doc.rust-lang.org/stable/std/time/struct.Duration.html#method.mul_f32 [`Duration::div_f64`]: https://doc.rust-lang.org/stable/std/time/struct.Duration.html#method.div_f64 [`Duration::div_f32`]: https://doc.rust-lang.org/stable/std/time/struct.Duration.html#method.div_f32 [`Duration::div_duration_f64`]: https://doc.rust-lang.org/stable/std/time/struct.Duration.html#method.div_duration_f64 [`Duration::div_duration_f32`]: https://doc.rust-lang.org/stable/std/time/struct.Duration.html#method.div_duration_f32 [`MaybeUninit::as_ptr`]: https://doc.rust-lang.org/stable/std/mem/union.MaybeUninit.html#method.as_ptr [`MaybeUninit::as_mut_ptr`]: https://doc.rust-lang.org/stable/std/mem/union.MaybeUninit.html#method.as_mut_ptr [`MaybeUninit::assume_init`]: https://doc.rust-lang.org/stable/std/mem/union.MaybeUninit.html#method.assume_init [`MaybeUninit::assume_init_ref`]: https://doc.rust-lang.org/stable/std/mem/union.MaybeUninit.html#method.assume_init_ref
… r=dtolnay Use verbatim paths for `process::Command` if necessary In rust-lang#89174, the standard library started using verbatim paths so longer paths are usable by default. However, `Command` was originally left out because of the way `CreateProcessW` was being called. This was changed as a side effect of rust-lang#87704 so now `Command` paths can be converted to verbatim too (if necessary).
… r=dtolnay Use verbatim paths for `process::Command` if necessary In rust-lang#89174, the standard library started using verbatim paths so longer paths are usable by default. However, `Command` was originally left out because of the way `CreateProcessW` was being called. This was changed as a side effect of rust-lang#87704 so now `Command` paths can be converted to verbatim too (if necessary).
Currently
std::process::Command
searches many directories for the executable to run, including the current directory. This has lead to a CVE forripgrep
but presumably other command line utilities could be similarly vulnerable if they run commands. This was discussed on the internals forum. Also discussed was which directories should be searched.EDIT: This PR originally removed all implicit paths. They've now been added back as laid out in the rest of this comment.
Old Search Strategy
The old search strategy is documented here. Additionally Rust adds searching the child's paths (see also #37519). So the full list of paths that were searched was:
PATH
environment variable.New Search Strategy
The new strategy removes the current directory from the searched paths.
Note that it also removes the 16-bit system directory, mostly because there isn't a function to get it. I do not anticipate this being an issue in modern Windows.
Impact
Removing the current directory should fix CVE's like the one linked above. However, it's possible some Windows users of affected Rust CLI applications have come to expect the old behaviour.
This change could also affect small Windows-only script-like programs that assumed the current directory would be used. The user would need to use
.\file.exe
instead of the bare application name.This PR could break tests, especially those that test the exact output of error messages (e.g. Cargo) as this does change the error messages is some cases.