3

I have this password, ;d#se#&4~75EY(H[SM"%cznGB.

I need to use this inside an automatically created command line command.

(using it for TFS Release pipeline, to create a virtual directory and this password belongs to a service user and saved in a global variable as secret input, and TFS puts that password string in doublequotes when creating the command).

Having a hard time escaping the scpecial characters in it.

What I tried so far is to escape all alphanumeric characters by ^ and escaping % and " characters by doubling them. But so far, didn't have much luck :(

The list of failed attempts are these.

;d#se#&4~75EY^(H[SM""%%cznGB

;d#se#&4~75EY(H[SM\"%%cznGB

^;d^#se^#^&4^~75EY^(H^[SM""%%cznGB

^;d^#se^#^&4^~75EY^(H^[SM\"^%cznGB

^;d^#se^#^&4^~75EY^(H^[SM\"%%cznGB

^;d^#se^#^&4^~75EY^(H^[SM""^%%cznGB

;d#se#&4~75EY(H[SM"^^^%%cznGB

;d#se#&4~75EY(H[SM"^^^^%%cznGB

;d#se#&4~75EY(H[SM^""^%%cznGB

^;d^#se^#^&4^~75EY^(H^[SM^""^%%cznGB

^;d^#se^#^&4^~75EY^(H^[SM^""%%cznGB

;d#se#&4~75EY(H[SM""%%cznGB

Can you please give me a hand finding the correct escaped string to use it in a batch or in CMD as an inline command?

Before anyone downvotes this question because I posted a password, I edited many parts of it before posting. Just saying :)

UPDATE:

As I mentioned in the question, TFS creates a command text to set the virtual folder access credentials to IIS, for a specific web application. The log shows the command text like this.

"C:\WINDOWS\system32\inetsrv\appcmd.exe" set vdir /vdir.name:"appfolder/Files" -physicalPath:"\\servername\virtualfolder" -userName:"sa_user@domain.com" -password:";d#se#&4~75EY(H[SM"%cznGB"

(I entered the password as it is, for this output)

ilter
  • 4,030
  • 3
  • 34
  • 51
  • Welcome to a world of pain... Maybe you want to use PowerShell instead? – CherryDT Jul 22 '20 at 11:46
  • Yes, it seems that I am welcome :) But I cannot. I'm stuck with TFS's predefined tasks and they use command line creating their IIS commands. :( It would be easier tough... – ilter Jul 22 '20 at 11:47
  • 1
    Usually, doublequotes `"` don't need escaping. Percentsigns are escaped by doubling them, other poison chars (only `&` in your example) by a preceding `^`. Of course it all depends, how `tfs` handles the string... – Stephan Jul 22 '20 at 11:51
  • I forgot to mention. TFS creates the command putting that password input between doublequotes. Updating my question. – ilter Jul 22 '20 at 11:56
  • Can you show how this is created in the batch/on cmd? It depends how it is used, then I could help. – Gerhard Jul 22 '20 at 12:05
  • @Gerhard Updated the question to provide the output command text. – ilter Jul 22 '20 at 12:52
  • 1
    So do you save this command in a batch file, or do you manually run it from cmd? – Gerhard Jul 22 '20 at 14:29
  • If you can `^` escape the quotes around the password, try: `... -password:^";d#se#^&4~75EY(H[SM\^"^%cznGB^"`, otherwise: `... -password:";d#se#&4~75EY(H[SM\"^%cznGB"`. Also worth reading: https://learn.microsoft.com/en-us/archive/blogs/twistylittlepassagesallalike/everyone-quotes-command-line-arguments-the-wrong-way – Iridium Jul 22 '20 at 14:45
  • Use `"-password:;d#se#&4~75EY(H[SM""%%cznGB"` (double inner double quote) or `"-password:;d#se#&4~75EY(H[SM\"%%cznGB"` (escape double quote using a backslash). From a batch file always double percent sign. – JosefZ Jul 22 '20 at 14:57
  • @JosefZ Thank you. But, unfortunately this is the second of my failed trials (see the question). I am afraid I have no clue what to try next :( Tried that again, to make sure, but the same result... – ilter Jul 22 '20 at 15:19
  • Any luck with mine? – Iridium Jul 22 '20 at 15:52
  • Yes, I know. However, note that I advise other placement of the opening double quote: `"-password:;d#se#&4~75EY(H[SM""%%cznGB"` instead of `-password:";d#se#&4~75EY(H[SM""%%cznGB"` – JosefZ Jul 22 '20 at 15:55
  • @JosefZ yes, I see that, but I have no control over how the command is created. I can only enter a parameter, and the command is created by the system as -password:"blabla" format. nothing I can control... – ilter Jul 22 '20 at 16:45
  • @Iridium Sorry, I also tried yours, with no luck... – ilter Jul 22 '20 at 16:46
  • @Gerhard I have no control on the created output. I just enter a variable in TFS and it creates a command and runs it on its own. – ilter Jul 22 '20 at 19:42
  • I understand, I was trying to see how you initiate this so I could help, but I see that you are ok now. :) – Gerhard Jul 22 '20 at 19:46
  • @Iridium.. I think you might be misunderstand the escaping double quotes part. Escaping of double quotes is not required. you can see the results by doing `echo "string"` and `echo ^"string^"`. There are only certain times where the first set of double quotes are consumed by `cmd` so we have to double up, but actually escaping double quotes that are quoting an item will not solve the issue here. – Gerhard Jul 22 '20 at 19:49
  • @Gerhard - The purpose of `^`-escaping *all* the quotes is to avoid cmd's quote handling entirely. It may not be strictly necessary, but it avoids having to deal with the cmd command-line parsing rules on top of the (subtly different) Windows API command-line parsing rules, the latter being easier to deal with, since it permits escaping double-quotes within double-quoted strings. See the link in my comment for more details on the rationale. – Iridium Jul 22 '20 at 20:48

2 Answers2

3

How interesting this all character escaping thing works! I continued serching, and read everything I could find. The result is that all that should be escaped with in double quotes, are the double quotes themselves...

(correct me if there's something I am missing, that was correct for my case)

The resulting string that should be used in the TFS variable (and I tested it, it works!) is this:

;d#se#&4~75EY(H[SM""%cznGB

The only thing I added to the original password was another double quote near the double quote.

That answer certainly helped me. No wonder why experementing by yourselves preserves better than reading tons of articles :/

https://stackoverflow.com/a/15262019/2443719

Thanks to everyone who commented and left an answer to this thread.

ilter
  • 4,030
  • 3
  • 34
  • 51
  • ok, so in actual fact the first double quotes were consumed by the prompt. That is the reason I asked how this is used, then We could have determined that earlier, but you did good research, so well done. – Gerhard Jul 22 '20 at 19:56
1
rem // enable delayed expansion to expand other poison characters safely
@Echo off & setlocal EnableExtensions EnableDelayedExpansion
rem // escape % character by doubling
Set "PW=;d#se#&4~75EY(H[SM"%%cznGB"
"C:\WINDOWS\system32\inetsrv\appcmd.exe"  set vdir /vdir.name:"appfolder/Files" -physicalPath:"\\servername\virtualfolder" -userName:"sa_user@domain.com" -password:"!PW!"
Endlocal
T3RR0R
  • 2,747
  • 3
  • 10
  • 25
  • I didn't try but this could work if I gave it a go with a cmd task. But I would rather use it inside a TFS - IIS Manage Task. Do you have an alternative for doublequotes after the -password parameter, like -password="sadfdsf"? – ilter Jul 22 '20 at 17:09