Re: URI handling woes in Acrobat Reader, Netscape, Miranda, Skype

[Paul Szabo <psz () maths usyd edu au>]

> > What I see as "root cause", is ... Windows ... may parse and re-parse
> > a command an unspecified number of times. Compared to Unix, it confuses
> > system(3) with execl(3). ...
> > A number of similar issues would be solved if Windows would respect the
> > "command with one argument" setting, parsing the registry key just once.
>
> You cannot compare them, Windows [has] ShellExecute and CreateProcess ...
> In this particular case, I have to reluctantly agree with Microsoft, due
> to my "output side bears the burden of validation" doctrine. ...
> ... you should perform normalization or validation before passing a
> command string to a function that is designed and documented to invoke
> arbitrary programs in arbitrary ways, *not* safely execute an URI ...

Windows already does special %-decoding to URL protocol handlers as per
http://msdn2.microsoft.com/en-us/library/aa767914.aspx
(whereas I do not think it does that to most other application launch
registry keys). It should also protect blanks and quote characters, and
anything else that could upset or confuse later processing.

Cheers,

Paul Szabo   psz () maths usyd edu au   http://www.maths.usyd.edu.au/u/psz/
School of Mathematics and Statistics   University of Sydney    Australia

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/