From 7e4626cbceb72ad495eda8f3d95a8ece359ad485 Mon Sep 17 00:00:00 2001
From: Klemens Morgenstern <klemens.morgenstern@gmx.net>
Date: Mon, 6 Oct 2025 13:31:27 +0800
Subject: [PATCH] batch file execution is forbidden by default

---
 include/boost/process/v2/windows/default_launcher.hpp | 11 ++++++++++-
 1 file changed, 10 insertions(+), 1 deletion(-)

diff --git a/include/boost/process/v2/windows/default_launcher.hpp b/include/boost/process/v2/windows/default_launcher.hpp
index 52d863a25..b61477430 100644
--- a/include/boost/process/v2/windows/default_launcher.hpp
+++ b/include/boost/process/v2/windows/default_launcher.hpp
@@ -225,6 +225,9 @@ struct default_launcher
                               INVALID_HANDLE_VALUE,
                               INVALID_HANDLE_VALUE},
                               nullptr};
+  /// Allow batch files to be executed, which might pose a security threat.
+  bool allow_batch_files = false;
+                              
   /// The process_information that gets assigned after a call to CreateProcess
   PROCESS_INFORMATION process_information{nullptr, nullptr, 0,0};
 
@@ -293,6 +296,12 @@ struct default_launcher
                   Args && args,
                   Inits && ... inits ) -> enable_init<Executor, Inits...>
   {
+    if (!allow_batch_files && ((executable.extension() == ".bat") || (executable.extension() == ".cmd")))
+    {
+       BOOST_PROCESS_V2_ASSIGN_EC(ec, ERROR_ACCESS_DENIED, system_category());
+       return basic_process<Executor>(exec);
+    }
+  
     auto command_line = this->build_command_line(executable, std::forward<Args>(args));
 
     ec = detail::on_setup(*this, executable, command_line, inits...);
@@ -438,4 +447,4 @@ BOOST_PROCESS_V2_END_NAMESPACE
 
 
 
-#endif //BOOST_PROCESS_V2_WINDOWS_DEFAULT_LAUNCHER_HPP
\ No newline at end of file
+#endif //BOOST_PROCESS_V2_WINDOWS_DEFAULT_LAUNCHER_HPP