Fix windows parameter encoding to prevent abuse of unicode characters with best fit encoding conversion

Seldaek · Seldaek · commit 3130a7455a9f · 2024-06-10T21:28:19.000+02:00
diff --git a/src/Composer/Util/ProcessExecutor.php b/src/Composer/Util/ProcessExecutor.php
@@ -495,7 +495,9 @@ private static function escapeArgument($argument): string
         }
 
         // New lines break cmd.exe command parsing
-        $argument = strtr($argument, "\n", ' ');
+        // and special chars like the fullwidth quote can be used to break out
+        // of parameter encoding via "Best Fit" encoding conversion
+        $argument = strtr($argument, ["\n" => ' ', '＂' => '"', '：' => ':', '／' => '/']);
 
         // In addition to whitespace, commas need quoting to preserve paths
         $quote = strpbrk($argument, " \t,") !== false;

Original file line number	Diff line number	Diff line change
`@@ -495,7 +495,9 @@ private static function escapeArgument($argument): string`
`495`	`495`	`}`
`496`	`496`
`497`	`497`	`// New lines break cmd.exe command parsing`
`498`		`- $argument = strtr($argument, "\n", ' ');`
	`498`	`+ // and special chars like the fullwidth quote can be used to break out`
	`499`	`+ // of parameter encoding via "Best Fit" encoding conversion`
	`500`	`+ $argument = strtr($argument, ["\n" => ' ', '＂' => '"', '：' => ':', '／' => '/']);`
`499`	`501`
`500`	`502`	`// In addition to whitespace, commas need quoting to preserve paths`
`501`	`503`	`$quote = strpbrk($argument, " \t,") !== false;`