Rob van der Woude's Scripting Pages

News Archives 2014 Q4

 

[ Back to the current news page... ]

 

December 29, 2014 Printing.exe has been updated: it accepts a regular expression pattern for the printer selection (/X:"regex"), and its output is now sorted by printer name (default), or printer status (/S:S), or by the number of queued print jobs (/S:J). The command line switches /Quiet and /Verbose have been dropped (use >NUL 2&>1 to hide all output).

• A bug in InputBox.exe has been fixed: if a timeout was specified, the program would return the unfiltered and unvalidated default answer when the timeout period expired, regardless of mask or regular expression; the new version returns the input entered so far, filtered and validated, with the appropriate errorlevel.

• A minor bug in Which.exe has been fixed: when /F or /P is used, the program will no longer display (file version ) or (product version ) for files that don't have a FileVersion or ProductVersion property.
December 24, 2014 InputBox.exe has been updated: besides regular expression based filtering with its /R switch, it now also supports mask based input filtering with its new /M switch.
December 18, 2014 UpdateCheck.hta has been updated.
Adding a new INI parameter DisplayName, to search the registry for program versions, forced me to rewrite part of the code, as it became too hard to maintain.
I also fixed a bug where the HTA would not save all intermediate results in separate files; when fixed, my computer became so littered with these files that I also added an optional /DSWP switch to disable the fixed feature again.

ListProgs.bat is a helper batch file for UpdateCheck.hta's new DisplayName parameter: it lists all registry keys that have both DisplayName and DisplayVersion set, and of course these values themselves.
December 12, 2014 Which.exe has been updated: with the new optional command line switches /F and /P the File and Product version will be displayed for the result, if it is an external command.
December 10, 2014 • Scott Sumner found a bug in the (not quite) "fool proof" input routine for SET /P: in a batch file, the redirection to NUL of FINDSTR's output caused the errorlevel to always equal 0.
I modified the code, the check for the errorlevel is now done before FINDSTR's output is redirected to NUL.

Thanks Scott
December 9, 2014 • Eelco Ligtvoet found some bugs in ListIntCmd.exe:
  • it would fail on single character separators,
  • in Windows 8.1 and Server 2012 DATE, KEYS and TIME would be omitted, and HH and XCOPY (both external commands) added,
  • and on some servers it would fail because it required .NET Framework 4.
These issues have now all been fixed (.NET Framework 2.0 is now the minimum requirement), at the expense of possibly missing some new internal commands in future Windows versions.

Thanks Eelco
December 8, 2014 Which.exe has been updated: no more hard-coded list of internal commands, it now searches %COMSPEC% for that list (and uses the old hard-coded list only if it fails to get the list from %COMSPEC%).

ListIntCmd.exe has been updated:
  • the program now accepts \n, \t and """" in the separator string
  • the new optional command line switch /C tells the program to copy the result to the clipboard
  • the new optional command line switch /L[:logfile] tells the program to log the intermediate search results
Eelco Ligtvoet has been testing ListIntCmd.exe on non-Windows 7 systems, allowing me to fix some bugs in the program.
Since ListIntCmd.exe's code is also used in other programs (BatCodeCheck.exe and Which.exe), I really appreciate Eelco's help.

Thanks Eelco
December 7, 2014 ListIntCmd.exe, a spin-off of BatCodeCheck, is a new tool to list all available internal commands.
Tested on my own Windows 7 system only, so far.
December 5, 2014 • The C# Examples page has been restyled.
Besides a new icon style, a new icon has been added for each program, opening the program's help text when clicked.

LoCase.exe and UpCase.exe have been updated: besides renaming files to all lower or all upper case, they can now also render redirected input to all lower or all upper case.
Locase.exe ThisFile.Ext will rename ThisFile.Ext to thisfile.ext.
DIR | UpCase.exe will show DIR's output in all upper case.
December 4, 2014 RxReplace.exe is a new, multi-line, regex based find and replace tool.

Which.exe has been updated: the new optional command line switch /C copies the result to the clipboard, and /E opens Explorer with the result selected, if and only if the result is a (single) file, i.e. an external command.

• I added a command to list all internal commands to my Short Command Line Tips page:
STRINGS %ComSpec% | RXGREP "[\n\r]CLS[\n\r][\w\W\n\r]*COMSPEC[\n\r]" | SORT | RXGREP "([A-Z]+[\n\r]+)+" | SORT
Tested on my own Windows 7 system only, so far.
November 28, 2014 UpdateCheck.hta has been updated.
Several new command line switches and INI file parameters were added, and the program list (INI file) itself is now checked for updates too.
Note that the new INI file parameters will not be recognized by UpdateCheck.vbs.
November 20, 2014 • The new version 0.32 of BatCodeCheck went through a major reshuffle of command line switches.
If you created batch files to run BatCodeCheck, modify those accordingly.
BatCodeCheck now checks an environment variable %BatCodeCheck% for some default switches, like DIR does with %DIRCMD%.
BatCodeCheck's new /I switch allows you to interactively modify the settings for the current "run"; this feature will be available in beta versions and future licensed versions of BatCodeCheck only.
November 15, 2014 • The new version 0.30.5 of BatCodeCheck accepts two new optional command line switches: /S to split one-liners, and test each part as a separate command line; and /H to save the screen output to an HTML file.
November 10, 2014 • I created a new page with known issues for BatCodeCheck.
If you find any bugs, errors or unexpected results, please send the details to my e-mail address.
November 8, 2014 BatCodeCheck has been added to UpdateCheck.hta's program list.
November 7, 2014 BatCodeCheck had several minor updates again: it now also tests for invalid command line switches of several internal commands, and for unescaped ECHOed parenthesis inside code blocks.
October 30, 2014 • A tutorial on safely using SET /P to prompt for input has been added to the batch file Best Practices section.

BatCodeCheck now also tests for SET /P.
October 29, 2014 BatCodeCheck has been updated again: it now distinguishes between real errors (that do break your code) and bad practices (that may some day break your code).
October 28, 2014 BatCodeCheck has been updated: case sensitivity has been corrected and several new tests for some common errors were added.
October 22, 2014 • I added a page on batch file best practices to this site: DOs and DON'Ts When Writing Batch Files.

• I also added a page dedicated to BatCodeCheck.
October 13, 2014 • Wolfgang Struensee also found a bug in DropDownBox.exe: it didn't resize the prompt correctly if the window height was specified.
Besides, "\n" in the prompt string wasn't interpreted as a line break.
Both isssues have been fixed in version 1.01.

Thanks Wolfgang
October 12, 2014 • Wolfgang Struensee found a bug in DateTimeBox.exe: it didn't handle unspecified (default) date/time display formats correctly.
To fix the bug I changed the initial date and time patterns from String.Empty to CultureInfo.CurrentCulture.DateTimeFormat.ShortDatePattern and CultureInfo.CurrentCulture.DateTimeFormat.LongTimePattern.

Thanks Wolfgang
October 9, 2014 BatCodeCheck.exe has been updated, it now finds unquoted %CD% "derivates" like %CD:~0,2% or %__CD__:\=/% too.

• While testing the BatCodeCheck.exe update on my batch files I found another vulnerability in RoboMove.bat that previous tests had missed: unquoted %__CD__:~2% to extract the current path without drive.
It is much safer to use FOR %%A IN (.\) DO SET Currentpath="%%~pA" instead.
RoboMove.bat has been updated accordingly.
October 7, 2014 • I had been pondering on a Batch Files Best Practices section for a while, and then the recent code insertion vulnerability disclosure made it clear I just had to add it, now!
The first part discusses some solutions for the vulnerability in (unquoted) %CD%, plus command line input validation and a safer alternative.
October 2, 2014 • The impact of the security code insertion vulnerability for batch files is probably a lot greater than just these few scripts that used unquoted %CD%, though these did pose the greatest risk.
Unquoted parsing of command line arguments (%1 etc.) also poses a risk, though in that case the arguments usually come from the current user, whereas, on a file server, the value of %CD% is the name of a directory created by just about anyone.
Still, expect many updates of my existing batch files the next couple of weeks, and check your own batch files.
I will implement more "best practice" warnings in BatCodeCheck.exe too.
October 1, 2014 • A security vulnerability for "shell scripts" (batch files) has been disclosed: http://www.thesecurityfactory.be/command-injection-windows.html.
In short, it warns against the use of unquoted %CD% because malicious users may abuse it to start unwanted programs by creating directories with ampersands in their names.
I urge you to read the details in the link above and investigate your batch files for the use of unquoted %CD% (or %__CD__% for that matter, and don't forget !CD! and !__CD__! either).
I have my work cut out for me...
The disclosure includes a copy of my Own.bat for Windows 2000 to demonstrate vulnerable code.
Note that the batch file used as a sample has been updated to prevent the vulnerability, but I left the vulnerable code in comments for learning purposes.

• Now that I have to check many batch files for the code insertion vulnerability, I added a preliminary test for this vulnerability in BatCodeCheck.exe.

• An automated test on 417 batch files out of the 993 (mixed) source files hosted on this website took just under 2 minutes, and discovered 9 affected files. I will investigate these files and update them if necessary.

DirComp.bat fixed: the quotes had to be removed at some point, but the batch file now aborts on folders with ampersands in their names.
DiskUse.bat (Windows 2000 version) fixed: %CD% was used by PUSHD, which doesn't mind doublequotes
DiskUse.bat (Windows NT 4 version) fixed: %CD% was used by PUSHD, which doesn't mind doublequotes
DLL_Menu.bat fixed: %CD% was used only in the help text, so adding doublequotes did not pose a problem
Own.bat false positive: remember I left the vulnerable code in comments? I'll have to improve BatCodeCheck's test routine
Pict.bat fixed: %CD% was used in (HTML) output only, so adding doublequotes did not pose a problem
RoboMove.bat false positive, "%CD%" was doublequoted already fixed: the vulnerable code (%__CD__:~2%) wasn't found until the 0.24 beta 2014-10-09 update of BatCodeCheck
SFN.bat removed: absolutely obsolete
Which.bat (Windows XP version) fixed: doublequotes were not an option, but %CD% for the current path could be replaced by .\


• Alarmed by the code insertion vulnerability disclosure, I updated InputBox.exe:
  • by default it will filter (remove) all & < > | " from the result
  • an optional switch /N disables the filter
  • an optional switch /R:regex blocks the result if it does not match regex
  • doublequotes are always removed from the result

 

Archived News pages Archived news from 2014 Archived News pages
Archived news from 2013
Archived news from 2012
Archived news from 2011
Archived news from 2010
Archived news from 2009
Archived news from 2008
Archived news from 2007

 


page last uploaded: 2015-08-24, 21:13