daniel:// stenberg:// on Nostr: closed a third. Turns out Windows sometimes do fun IDN-like unicide-to-ascii ...
closed a third. Turns out Windows sometimes do fun IDN-like unicide-to-ascii conversions for command lines that then allows users to insert unicode characters in cmdline argument when run on windows, and they are converted to their ASCII look-alike counterparts. Which can be abused to insert arguments and what not.
Not a curl security flaw. Just the weirdest Windows feature I've seen in a while. And probably a security problem in many places.
Published at
2024-06-16 08:06:20Event JSON
{
"id": "0c04df5f107953de3359c9d5c1833a68e66669ea5d66ecae1a305f2d66644783",
"pubkey": "783f5e8607f5b88c53c6c6a334445e79376235013841bc40db7c59eeb7b9e94b",
"created_at": 1718525180,
"kind": 1,
"tags": [
[
"e",
"2f10f167b80e2162c05385e9d2bde15a8331d059497edbe0950842b5a753f40f",
"wss://relay.mostr.pub",
"reply"
],
[
"proxy",
"https://mastodon.social/users/bagder/statuses/112625266227554315",
"activitypub"
]
],
"content": "closed a third. Turns out Windows sometimes do fun IDN-like unicide-to-ascii conversions for command lines that then allows users to insert unicode characters in cmdline argument when run on windows, and they are converted to their ASCII look-alike counterparts. Which can be abused to insert arguments and what not.\n\nNot a curl security flaw. Just the weirdest Windows feature I've seen in a while. And probably a security problem in many places.",
"sig": "0d7672cd4eae9c6c3a158e97bc0c6e8dd85ab1fd41d247e966f90888eccbb62aa9d82c99b8cce67d3b0e29c4a5b73208ae68aefb1d83f0377098198c07f99a52"
}
