SPE Anatol - 2007-08-22

Logged In: YES
user_id=1849536
Originator: YES

Since this information is somehow hard to find, I specify the rules for DOS command shell (unblackboxed):

The main difference between DOS command shell and Unix command shell is that the DOS command shell does not split parameters or substitute file names for patterns. Every DOS program gets just one parameter: the entire command line but without the application name which is the first word detached, where doubly quoted strings are regarded as nonblank characters (e.g. ‘C:\"PROGRAM FILES"\"WINDOWS NT"\ACCESSORIES\WORDPAD.EXE’). If no arguments are specified, the final double quote mark is optional.
The command name ends with a blank, in which case the following blanks are discarded, or with a semicolon, which is passed in the command line, or with a special character. The same rules are used for redirection paths.

As a compatibility quirk, the option character ‘/’ ends the command name when the command comes without an explicit path, as in ‘DIR/P’.

An executable program can interpret the command line as it wishes. Popular runtime environments parse the command line according to their own conventions. E.g. Microsoft Visual C++ runtime environment uses only blanks for word separators and uses the backslash ‘\’ to escape quotation marks and backslashes followed by quotation marks. It allows the application to be configured to expand file patterns but it does not do so by default (or vice versa, depending on the version of the build environment).

The characters ‘<’ (input redirection), ‘>’ (output redirection), ‘&’ (command separator) and ‘^’ (escape) are special unless their special character has been toggled by a previous unescaped quotation mark. Note
Examples:
The command ‘ECHO "1 2" & ECHO 3’ prints
"1 2"
3
as expected.
The command ‘ECHO ^"1 2" & ECHO 3’ prints ‘"1 2" & ECHO 3’.
The command ‘ECHO "1 2^" & ECHO 3’ prints
"1 2^"
3
because it is impossible to escape the closing quotation mark — the escape character is inactive.
Finally, The command ‘ECHO ^"1 2^" & ECHO 3’ ’ prints
"1 2"
3
again.

Every quotation mark either begins or ends a word quotation; this function cannot be escaped (paths cannot contain quotation marks anyway).

Command arguments for shell scripts are passed with quotation marks retained. The runtime environment for command-line tools usually strips them off except where escaped.

In order to prevent an environment variable from expanding, quote the second percent sign, not the first. Example: %PATH^%, ^"%PATH^%^" (note that the quotation marks must be quoted as well).

The escape character ‘^’ disappears before any character except inside a quotation.
If it appears at end of line, the next line is a continuation line; the escape character is reapplied to the first character. For best results, do not start continuation lines with a quotation unless you want the quotation mark to be escaped as explained above, probably because the quotation itself needs to span several lines as in my original example, in which case all special characters and the closing quotation mark should be escaped as well; I could have been more explicit by saying
….bat^
^"..\base…

…src^" API

Shell scripts using unquoted parameters are vulnerable because the script text is reparsed after variable substitition.
Examples: The following script
ECHO %1
ECHO %2
given argument ‘^^’ executes command ‘ECHO ECHO’
The following innocent script
ECHO %1 %2
given arguments ‘^> .’ executes command ‘ECHO 1>.’ which (fortunately) fails.
given argument ‘^&DEL *’ executes command ‘DEL *’ which (fortunately) prompts.