From 9ce85210e61e6c75adfc0ac0f54643cfee1353be Mon Sep 17 00:00:00 2001 From: Ron Yorston Date: Fri, 21 Apr 2023 15:00:14 +0100 Subject: su: escape quotes and backslashes in command In 'su -c "CMD"' CMD should become a single argument to busybox sh -c ... But previously, the parameter string to ShellExecute was constructed by placing the literal value of CMD inside double quotes, which could result in incorrect and/or more than one parameter seen by the program, because double-quotes and (some) backslashes in CMD should be escaped while constructing the string, but they weren't. Now they're escaped so that the WIN32 CommandLineToArgv[W] parses it into a single argument with value identical to the original CMD. --- loginutils/suw32.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/loginutils/suw32.c b/loginutils/suw32.c index 3500c08db..df6d07232 100644 --- a/loginutils/suw32.c +++ b/loginutils/suw32.c @@ -61,7 +61,7 @@ int suw32_main(int argc UNUSED_PARAM, char **argv) xasprintf("--busybox ash -d \"%s\" -t \"BusyBox ash (Admin)\" ", cwd); if (opt_command) info.lpParameters = - xasprintf("%s -s -c \"%s\"", info.lpParameters, opt_command); + xasprintf("%s -s -c %s", info.lpParameters, quote_arg(opt_command)); /* info.lpDirectory = NULL; */ info.nShow = SW_SHOWNORMAL; -- cgit v1.2.3-55-g6feb