Conclusion
In general, we can safely pass arbitrary command line arguments to programs, provided we take a few basic precautions.
Do:
- Always escape all arguments so that they will be decoded properly by CommandLineToArgvW, perhaps using my ArgvQuote function above.
- After step 1, then if and only if the command line produced will be interpreted by cmd, prefix each shell metacharacter (or each character) with a
^
character.
Do not:
- Simply add quotes around command line argument arguments without any further processing.
- Allow cmd to ever see an unescaped
"
character.
Notes
1 Worse.
2 You did follow my links above, yes?
3 I know you didn‘t.
4 Just to be clear: CommandLineFromArgvW neither knows nor cares about cmd‘s metacharacters and looks only for "
and \
.
原文地址:https://www.cnblogs.com/chucklu/p/9663587.html
时间: 2024-10-09 23:29:16