Terminal: VBS Shell.Application and PowerShell Start-Process do not escape ampersands internally

Created on 13 Aug 2019  路  6Comments  路  Source: microsoft/terminal

Environment

Windows build number: Microsoft Windows [Version 10.0.15063]

Steps to reproduce

  1. Create a directory named q&a.

  2. Within this directory create a bat file named elevate.bat with the following contents:

echo hello
timeout /t 30
  1. Again, within this directory create a vbs file named elevate.vbs with the following contents:
Set objShell = CreateObject("Shell.Application")
objShell.ShellExecute "elevate.bat", "", "", "runas", 1

Then double-click elevate.vbs.

Expected behavior

Windows prompts for administrator privileges and then the batch script executes and outputs "hello".

Actual behavior

Windows prompts for administrator privileges but the batch script never executes, because Windows does not escape the ampersand in the current working directory correctly.

The interesting thing here is we are relying on the current working directory to pass the full path to the elevate.bat script. This leaves all escaping to Windows.

If the full path to these files has no ampersand, i.e. qa instead of q&a, everything will work.

But, if the full path includes an ampersand, Windows itself won't escape the ampersand when ShellExecute expands the path to elevate.bat.

This can also be reproduced using a PowerShell Start-Process script, making me think it's something common to both.

We found this while working through https://github.com/jorangreef/sudo-prompt/issues/97.

Needs-Tag-Fix
Source
picture jorangreef

Most helpful comment

Please don't do that. conhost is not involved in CreateProcess, Shell.Application or Start-Process. You're just asking for trouble.

picture DHowett-MSFT on 11 Sep 2019
👍2

All 6 comments

@bitcrazed, please would you take a quick look at this. It's easy to reproduce.

jorangreef picture jorangreef on 25 Aug 2019

Please don't do that. conhost is not involved in CreateProcess, Shell.Application or Start-Process. You're just asking for trouble.

DHowett-MSFT picture DHowett-MSFT on 11 Sep 2019
👍2

@jorangreef Appreciate you filing the issue. It would, at first glance, seem like it's the command-line's job to launch these processes, but it is not!

PowerShell's Start-Process uses ShellExecute or CreateProcess (on Windows), and open/xdgOpen on Mac/Linux via Process.Start.

Trying to find someone involved in CreateProcess et al. to help out. Stay tuned.

bitcrazed picture bitcrazed on 12 Sep 2019

Thanks @bitcrazed, appreciate you looking into this and getting people involved.

jorangreef picture jorangreef on 12 Sep 2019

Just an update for everyone following this:

We're now thinking to work around this simply by copying cmd.exe to the same directory as the script we want to execute.

It's an ugly (but beautiful) hack...

It shouldn't be necessary... but it is.

@bitcrazed thanks for your help with this, as a last-ditch effort, if there's anyone you can rope in on this it would be much appreciated.

jorangreef picture jorangreef on 15 Sep 2020
😕1

I am not certain how copying cmd.exe from Windows (which will have the same issues as the ones in-box) will help. Can you explain that a bit more?

DHowett picture DHowett on 15 Sep 2020
👍1
Was this page helpful?
0 / 5 - 0 ratings

Related issues

Wid-Mimosa picture Wid-Mimosa  路  3Comments
zadjii-msft picture zadjii-msft  路  3Comments
dev-logan picture dev-logan  路  3Comments
NickITGuy picture NickITGuy  路  3Comments
TayYuanGeng picture TayYuanGeng  路  3Comments