git.ipfire.org Git - thirdparty/xz.git/commit

author	Lasse Collin <lasse.collin@tukaani.org>
	Tue, 1 Oct 2024 09:10:23 +0000 (12:10 +0300)
committer	Lasse Collin <lasse.collin@tukaani.org>
	Tue, 1 Oct 2024 09:10:23 +0000 (12:10 +0300)
commit	46ee0061629fb075d61d83839e14dd193337af59
tree	340f423cdbef1b7228c8fa08af73fbd574d12c9a	tree
parent	dad153091552b52a41b95ec4981c6951f1cae487	commit \| diff

Windows: Embed an application manifest in the EXE files

IMPORTANT: This includes a security fix to command line tool
           argument handling.

Some toolchains embed an application manifest by default to declare
UAC-compliance. Some also declare compatibility with Vista/8/8.1/10/11
to let the app access features newer than those of Vista.

We want all the above but also two more things:

  - Declare that the app is long path aware to support paths longer
    than 259 characters (this may also require a registry change).

  - Force the code page to UTF-8. This allows the command line tools
    to access files whose names contain characters that don't exist
    in the current legacy code page (except unpaired surrogates).
    The UTF-8 code page also fixes security issues in command line
    argument handling which can be exploited with malicious filenames.
    See the new file w32_application.manifest.comments.txt.

Thanks to Orange Tsai and splitline from DEVCORE Research Team
for discovering this issue.

Thanks to Vijay Sarvepalli for reporting the issue to me.

Thanks to Kelvin Lee for testing with MSVC and helping with
the required build system fixes.

CMakeLists.txt		diff \| blob \| blame \| history
src/Makefile.am		diff \| blob \| blame \| history
src/common/common_w32res.rc		diff \| blob \| blame \| history
src/common/w32_application.manifest	[new file with mode: 0644]	blob
src/common/w32_application.manifest.comments.txt	[new file with mode: 0644]	blob