From 38c153fbc88fa7f177bd2ffcc17f357d5a058573 Mon Sep 17 00:00:00 2001
From: "Christoph M. Becker" <cmbecker69@gmx.de>
Date: Mon, 13 Jun 2022 17:32:02 +0200
Subject: [PATCH] Escape problematic characters in CREDITS files

On Windows, the contents of the CREDITS files are passed to rc.exe via
the command line.  To avoid undesired behavior, we need to escape some
characters, most notably `<` (which is sometimes used in CREDITS to
enclose mail addresses), which otherwise is interpreted as redirection
operator, resulting in the hard to understand "The system cannot find
the file specified."

Even more dangerous is not properly escaping percent signs, which makes
it possible for a malicious CREDITS file to inject the values of
environment variables of the build system into the generated binaries.
This is particularly bad, because as of Windows Vista, the comments can
no longer be inspected via explorer.exe, although the binaries still
contain these comments.

We also cater to double-quotes, which need to be escaped as `\"\"` in
this context.
---
 win32/build/confutils.js | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/win32/build/confutils.js b/win32/build/confutils.js
index 9bf1bf28141d4..fdea272aa58a9 100644
--- a/win32/build/confutils.js
+++ b/win32/build/confutils.js
@@ -1098,7 +1098,7 @@ function generate_version_info_resource(makefiletarget, basename, creditspath, s
 		if (thanks == null) {
 			thanks = "";
 		} else {
-			thanks = "Thanks to " + thanks;
+			thanks = "Thanks to " + thanks.replace(/([<>&|%])/g, "^$1").replace(/"/g, '\\"\\"');
 		}
 		credits.Close();
 	}