From 91b08d6fbd0a76c7968fa04e7d834bd69962fa65 Mon Sep 17 00:00:00 2001
From: albertony <12441419+albertony@users.noreply.github.com>
Date: Tue, 7 Jan 2025 15:40:14 +0100
Subject: [PATCH] Replace Windows-specific NewLazyDLL with NewLazySystemDLL

This will only search Windows System directory for the DLL if name is a base
name (like "advapi32.dll"), which prevents DLL preloading attacks.

To get access to NewLazySystemDLL imports of syscall needs to be swapped with
golang.org/x/sys/windows.
---
 backend/local/about_windows.go | 8 ++++----
 lib/terminal/hidden_windows.go | 6 +++---
 2 files changed, 7 insertions(+), 7 deletions(-)

diff --git a/backend/local/about_windows.go b/backend/local/about_windows.go
index 1d4ab338e..bda2a5504 100644
--- a/backend/local/about_windows.go
+++ b/backend/local/about_windows.go
@@ -5,18 +5,18 @@ package local
 import (
 	"context"
 	"fmt"
-	"syscall"
 	"unsafe"
 
 	"github.com/rclone/rclone/fs"
+	"golang.org/x/sys/windows"
 )
 
-var getFreeDiskSpace = syscall.NewLazyDLL("kernel32.dll").NewProc("GetDiskFreeSpaceExW")
+var getFreeDiskSpace = windows.NewLazySystemDLL("kernel32.dll").NewProc("GetDiskFreeSpaceExW")
 
 // About gets quota information
 func (f *Fs) About(ctx context.Context) (*fs.Usage, error) {
 	var available, total, free int64
-	root, e := syscall.UTF16PtrFromString(f.root)
+	root, e := windows.UTF16PtrFromString(f.root)
 	if e != nil {
 		return nil, fmt.Errorf("failed to read disk usage: %w", e)
 	}
@@ -26,7 +26,7 @@ func (f *Fs) About(ctx context.Context) (*fs.Usage, error) {
 		uintptr(unsafe.Pointer(&total)),     // lpTotalNumberOfBytes
 		uintptr(unsafe.Pointer(&free)),      // lpTotalNumberOfFreeBytes
 	)
-	if e1 != syscall.Errno(0) {
+	if e1 != windows.Errno(0) {
 		return nil, fmt.Errorf("failed to read disk usage: %w", e1)
 	}
 	usage := &fs.Usage{
diff --git a/lib/terminal/hidden_windows.go b/lib/terminal/hidden_windows.go
index 62eda1e3d..1bc7f5e77 100644
--- a/lib/terminal/hidden_windows.go
+++ b/lib/terminal/hidden_windows.go
@@ -3,13 +3,13 @@
 package terminal
 
 import (
-	"syscall"
+	"golang.org/x/sys/windows"
 )
 
 // HideConsole hides the console window and activates another window
 func HideConsole() {
-	getConsoleWindow := syscall.NewLazyDLL("kernel32.dll").NewProc("GetConsoleWindow")
-	showWindow := syscall.NewLazyDLL("user32.dll").NewProc("ShowWindow")
+	getConsoleWindow := windows.NewLazySystemDLL("kernel32.dll").NewProc("GetConsoleWindow")
+	showWindow := windows.NewLazySystemDLL("user32.dll").NewProc("ShowWindow")
 	if getConsoleWindow.Find() == nil && showWindow.Find() == nil {
 		hwnd, _, _ := getConsoleWindow.Call()
 		if hwnd != 0 {