From 3130a7455a9fb53e14a08d2c9d6d904810159df1 Mon Sep 17 00:00:00 2001 From: Jordi Boggiano Date: Mon, 10 Jun 2024 21:28:19 +0200 Subject: [PATCH] Fix windows parameter encoding to prevent abuse of unicode characters with best fit encoding conversion --- src/Composer/Util/ProcessExecutor.php | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/src/Composer/Util/ProcessExecutor.php b/src/Composer/Util/ProcessExecutor.php index b546b1529..6694a6e87 100644 --- a/src/Composer/Util/ProcessExecutor.php +++ b/src/Composer/Util/ProcessExecutor.php @@ -495,7 +495,9 @@ class ProcessExecutor } // New lines break cmd.exe command parsing - $argument = strtr($argument, "\n", ' '); + // and special chars like the fullwidth quote can be used to break out + // of parameter encoding via "Best Fit" encoding conversion + $argument = strtr($argument, ["\n" => ' ', '"' => '"', ':' => ':', '/' => '/']); // In addition to whitespace, commas need quoting to preserve paths $quote = strpbrk($argument, " \t,") !== false;