[SERVER-79069] command line censoring can't protect servers on Windows Created: 04/Jun/20 Updated: 18/Jul/23 |
|
| Status: | Backlog |
| Project: | Core Server |
| Component/s: | None |
| Affects Version/s: | None |
| Fix Version/s: | None |
| Type: | Bug | Priority: | Minor - P4 |
| Reporter: | Billy Donahue | Assignee: | Backlog - Security Team |
| Resolution: | Unresolved | Votes: | 0 |
| Labels: | triaged | ||
| Remaining Estimate: | Not Specified | ||
| Time Spent: | Not Specified | ||
| Original Estimate: | Not Specified | ||
| Environment: |
Windows |
||
| Assigned Teams: |
Server Security
|
| Operating System: | ALL |
| Participants: |
| Description |
|
The censorArgvArray in
is meant to overwrite argv to hide command-line secrets from `ps` or `/proc` traversal. But on Windows, the argv we give is not the real argvW. It's a copy, so modifying it has no effect. Windows processes have a special undocumented PEB block that may need to be modified to do the censoring properly. |