From ba4ad2408ae642e25b93d36b9c3e5cfcd9e1361d Mon Sep 17 00:00:00 2001 From: Jordi Boggiano Date: Mon, 10 Jun 2024 21:28:19 +0200 Subject: [PATCH] Fix windows parameter encoding to prevent abuse of unicode characters with best fit encoding conversion --- src/Composer/Util/ProcessExecutor.php | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/src/Composer/Util/ProcessExecutor.php b/src/Composer/Util/ProcessExecutor.php index ca181d7d3..ea8098c16 100644 --- a/src/Composer/Util/ProcessExecutor.php +++ b/src/Composer/Util/ProcessExecutor.php @@ -488,7 +488,9 @@ class ProcessExecutor } // New lines break cmd.exe command parsing - $argument = strtr($argument, "\n", ' '); + // and special chars like the fullwidth quote can be used to break out + // of parameter encoding via "Best Fit" encoding conversion + $argument = strtr($argument, ["\n" => ' ', '"' => '"', ':' => ':', '/' => '/']); // In addition to whitespace, commas need quoting to preserve paths $quote = strpbrk($argument, " \t,") !== false;