Shell extension uses unquoted program path

Main development forum.

Shell extension uses unquoted program path

Postby AnandBhat » Thu Jan 10, 2013 10:49 am

After reading https://isc.sans.edu/diary/Help+elimina ... ties/14464, I noticed an unquoted path vulnerability in the WinMerge shell extension feature. I tried the latest Alpha release (2.13.21 alpha) and the issue continues to be present. Can you please have this addressed in your next release?

Steps to reproduce the issue:
1. Install WinMerge in the default location (C:\Program Files\WinMerge) and enable shell extensions.
2. Create a copy of calc.exe and place it as C:\program.exe
3. Attempt to use the shell extension (either Compare or Compare As... after selecting two files or directories).
4. The copy of calc.exe opens up instead of WinMerge, indicating the the shell extension tried to invoke WinMerge using an unquoted command path.

Let me know if you need any other details.
AnandBhat
 
Posts: 2
Joined: Thu Jan 10, 2013 10:34 am

Re: Shell extension uses unquoted program path

Postby jtuc » Sun Jan 13, 2013 5:52 pm

jtuc
Developer
 
Posts: 182
Joined: Sat Dec 20, 2008 11:05 am

Re: Shell extension uses unquoted program path

Postby AnandBhat » Tue Jan 15, 2013 5:53 am

Thanks!
AnandBhat
 
Posts: 2
Joined: Thu Jan 10, 2013 10:34 am

Re: Shell extension uses unquoted program path

Postby christianlist » Wed Feb 20, 2013 2:01 am

This particular bug is now fixed in WinMerge 2.14.0

But I left my copy of Calc.exe at C:\Program.exe and noticed another bug:
When WinMerge is launched from TortoiseSVN it too uses unquoted paths.
It turns out that our installer integration with TortoiseSVN (and possible the other integrations too) is adding the integration using an unquoted path.
christianlist
Site Admin
 
Posts: 68
Joined: Thu Sep 11, 2008 5:16 pm
Location: USA

Re: Shell extension uses unquoted program path

Postby ethan3 » Sun Jul 28, 2013 11:34 am

AnandBhat wrote:After reading https://isc.sans.edu/diary/Help+eliminate+unquoted+path+vulnerabilities/14464, I noticed an unquoted path vulnerability in the WinMerge shell extension feature. I tried the latest Alpha release (2.13.21 alpha) and the issue continues to be present. Can you please have this addressed in your next release?

Steps to reproduce the issue:
1. Install WinMerge in the default location (C:\Program Files\WinMerge) and enable shell extensions.
2. Create a copy of calc.exe and place it as C:\program.exe
3. Attempt to use the shell extension (either Compare or Compare As... after selecting two files or directories).
4. The copy of calc.exe opens up instead of WinMerge, indicating the the shell extension tried to invoke WinMerge using an unquoted command path.

Let me know if you need any other details.

I am using WinMerge Portable 2.14.0 without any bugs. It is included full support for archives with the bundled 7-Zip plugin.
ethan3
 
Posts: 2
Joined: Sun Jul 28, 2013 7:38 am


Return to Developers

Who is online

Users browsing this forum: No registered users and 3 guests

cron