Re: [Full-disclosure] URI handling woes in Acrobat Reader, Netscape, Miranda, Skype

[Paul Szabo <psz@xxxxxxxxxxxxxxxxx>]

What I see as "root cause", is not what IE7 has changed. Windows was
always confused about quoting, may parse and re-parse a command an
unspecified number of times. Compared to Unix, it confuses system(3)
with execl(3).

In the registry there are shell\open\command keys, set to 'prog %1'. It
should be clear to Windows that there is a command with one argument;
but it will normally mis-parse blanks within %1 and have many arguments.
Some registry keys are set to 'prog "%1"' to protect against blanks, but
those are vulnerable to embedded quotes. I only guess that things are
generally unsafe against embedded % characters (though maybe not the URL
protocol handlers we are specifically worried about here).

A number of similar issues would be solved if Windows would respect the
"command with one argument" setting, parsing the registry key just once.

Cheers,

Paul Szabo   psz@xxxxxxxxxxxxxxxxx   http://www.maths.usyd.edu.au/u/psz/
School of Mathematics and Statistics   University of Sydney    Australia

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/