Opened 5 years ago

Last modified 5 years ago

#343 new defect

exec deliberately escapes double quotes

Reported by: dmik Owned by:
Priority: normal Milestone: new
Component: libc Version: 0.6.6
Severity: normal Keywords:


I found out that the exec* call (and spawn as well I assume) deliberately escapes double quote characters in arguments with a backslash. This is fine for binaries that are built with kLIBC itself as this will be unescaped back before calling main (so that the application will not even notice this). However, it screws binaries based on other runtimes (e.g. rexx.exe or wrc.exe).

Change History (2)

comment:1 Changed 5 years ago by dmik

The test case:


#include <stdio.h>
#include <stdlib.h>
#include <string.h>

#include <unistd.h>
#include <errno.h>
#include <fcntl.h>
#include <process.h>

int main (int argc, char **argv)
printf ("parent: pid=%d [%s]\n", _getpid (), argv[0]);
int rc = execlp ("child.cmd", "child.cmd", "'foo'", "\x22""bar""\x22", NULL);
printf ("parent: exec=%d (%d:%s)\n", rc, errno, strerror(errno));
return 0;


parse arg args
say 'args = ['args']'

If you start parent.exe, the output will be:

parent: pid=12016 [D:\Coding\Tests\c\exec\parent.exe]
parent: args=[1]
args = ['foo' \"bar\"]

This will completely screw up the target program which doesn't expect " to be escaped this way. The real life case of such a screw up screw up is wrc.exe. See here And seems to be a similar case as well.

In the test case above cmd.exe is used to process the REXX script so cmd.exe is affected as well (expectedly).

Last edited 5 years ago by dmik (previous) (diff)

comment:2 Changed 5 years ago by dmik

IIRC, there is some heuristic in one of the exec worker functions that decides if it should escape double quotes and do some other *nix related stuff but if so then it breaks in the mentioned cases for some reason.

Last edited 5 years ago by dmik (previous) (diff)
Note: See TracTickets for help on using tickets.