From 8601ae18edab90766e9671f194b9aaa4e155b53c Mon Sep 17 00:00:00 2001
From: Tal500 <tal_hd@hotmail.com>
Date: Sun, 19 Apr 2026 13:23:54 +0300
Subject: [PATCH 1/3] clientloop: rename Windows xauth helper for clarity

---
 clientloop.c | 78 ++++++++++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 78 insertions(+)

diff --git a/clientloop.c b/clientloop.c
index f3350a83b1fc..e659b45358d1 100644
--- a/clientloop.c
+++ b/clientloop.c
@@ -285,6 +285,31 @@ client_x11_display_valid(const char *display)
 
 #define SSH_X11_PROTO		"MIT-MAGIC-COOKIE-1"
 #define X11_TIMEOUT_SLACK	60
+#ifdef WINDOWS
+/*
+ * Keep Windows xauth process launch in one helper so all subprocess flags and
+ * argv handling stay consistent in this signal/console-sensitive path.
+ */
+static pid_t
+client_x11_run_xauth_for_windows(const char *cmd, arglist *args, FILE **f)
+{
+	u_int flags = SSH_SUBPROCESS_STDERR_DISCARD |
+	    SSH_SUBPROCESS_UNSAFE_PATH | SSH_SUBPROCESS_PRESERVE_ENV;
+	u_int i;
+
+	if (f != NULL)
+		flags |= SSH_SUBPROCESS_STDOUT_CAPTURE;
+	else
+		flags |= SSH_SUBPROCESS_STDOUT_DISCARD;
+
+	for (i = 0; i < args->num; i++)
+		debug3_f("xauth argv[%u]: %s", i, args->list[i]);
+
+	return subprocess("xauth", cmd, args->num, args->list, f, flags,
+	    NULL, NULL, NULL);
+}
+#endif
+
 int
 client_x11_get_proto(struct ssh *ssh, const char *display,
     const char *xauth_path, u_int trusted, u_int timeout,
@@ -388,8 +413,34 @@ client_x11_get_proto(struct ssh *ssh, const char *display,
 				channel_set_x11_refuse_time(ssh,
 				    x11_refuse_time);
 			}
+#ifdef WINDOWS
+			{
+				int status;
+				pid_t pid;
+				arglist args;
+
+				memset(&args, 0, sizeof(args));
+				addargs(&args, "%s", xauth_path);
+				addargs(&args, "-f");
+				addargs(&args, "%s", xauthfile);
+				addargs(&args, "generate");
+				addargs(&args, "%s", display);
+				addargs(&args, "%s", SSH_X11_PROTO);
+				addargs(&args, "untrusted");
+				if (timeout != 0) {
+					addargs(&args, "timeout");
+					addargs(&args, "%u", x11_timeout_real);
+				}
+				pid = client_x11_run_xauth_for_windows(cmd, &args, NULL);
+				if (pid != 0 && waitpid(pid, &status, 0) == pid &&
+				    WIFEXITED(status) && WEXITSTATUS(status) == 0)
+					generated = 1;
+				freeargs(&args);
+			}
+#else
 			if (system(cmd) == 0)
 				generated = 1;
+#endif
 			free(cmd);
 		}
 
@@ -410,12 +461,39 @@ client_x11_get_proto(struct ssh *ssh, const char *display,
 			    generated ? xauthfile : "",
 			    display);
 			debug2("x11_get_proto: %s", cmd);
+#ifdef WINDOWS
+			{
+				int status;
+				pid_t pid;
+				arglist args;
+
+				memset(&args, 0, sizeof(args));
+				addargs(&args, "%s", xauth_path);
+				if (generated) {
+					addargs(&args, "-f");
+					addargs(&args, "%s", xauthfile);
+				}
+				addargs(&args, "list");
+				addargs(&args, "%s", display);
+				pid = client_x11_run_xauth_for_windows(cmd, &args, &f);
+				if (pid != 0 && f != NULL &&
+				    fgets(line, sizeof(line), f) &&
+				    sscanf(line, "%*s %511s %511s", proto, data) == 2)
+					got_data = 1;
+				if (f != NULL)
+					fclose(f);
+				if (pid != 0)
+					(void)waitpid(pid, &status, 0);
+				freeargs(&args);
+			}
+#else
 			f = popen(cmd, "r");
 			if (f && fgets(line, sizeof(line), f) &&
 			    sscanf(line, "%*s %511s %511s", proto, data) == 2)
 				got_data = 1;
 			if (f)
 				pclose(f);
+#endif
 			free(cmd);
 		}
 	}

From a5657eb4c42b5a1f7e3fa708987d5cde6ae59aa3 Mon Sep 17 00:00:00 2001
From: Tal500 <tal_hd@hotmail.com>
Date: Thu, 23 Apr 2026 12:21:48 +0300
Subject: [PATCH 2/3] add a missing include

---
 clientloop.c | 1 +
 1 file changed, 1 insertion(+)

diff --git a/clientloop.c b/clientloop.c
index e659b45358d1..10c3ab396c4e 100644
--- a/clientloop.c
+++ b/clientloop.c
@@ -70,6 +70,7 @@
 # include <sys/time.h>
 #endif
 #include <sys/socket.h>
+#include <sys/wait.h>
 
 #include <ctype.h>
 #include <errno.h>

From 88c9995ca6eb35cada0e363d3245c4c4d290b0c1 Mon Sep 17 00:00:00 2001
From: Tal500 <tal_hd@hotmail.com>
Date: Mon, 27 Apr 2026 19:31:24 +0300
Subject: [PATCH 3/3] use exited_cleanly() instead

---
 clientloop.c | 9 +++------
 1 file changed, 3 insertions(+), 6 deletions(-)

diff --git a/clientloop.c b/clientloop.c
index 10c3ab396c4e..016a1f734bdf 100644
--- a/clientloop.c
+++ b/clientloop.c
@@ -70,7 +70,6 @@
 # include <sys/time.h>
 #endif
 #include <sys/socket.h>
-#include <sys/wait.h>
 
 #include <ctype.h>
 #include <errno.h>
@@ -416,7 +415,6 @@ client_x11_get_proto(struct ssh *ssh, const char *display,
 			}
 #ifdef WINDOWS
 			{
-				int status;
 				pid_t pid;
 				arglist args;
 
@@ -433,8 +431,8 @@ client_x11_get_proto(struct ssh *ssh, const char *display,
 					addargs(&args, "%u", x11_timeout_real);
 				}
 				pid = client_x11_run_xauth_for_windows(cmd, &args, NULL);
-				if (pid != 0 && waitpid(pid, &status, 0) == pid &&
-				    WIFEXITED(status) && WEXITSTATUS(status) == 0)
+				if (pid != 0 &&
+				    exited_cleanly(pid, "xauth", cmd, 1) == 0)
 					generated = 1;
 				freeargs(&args);
 			}
@@ -464,7 +462,6 @@ client_x11_get_proto(struct ssh *ssh, const char *display,
 			debug2("x11_get_proto: %s", cmd);
 #ifdef WINDOWS
 			{
-				int status;
 				pid_t pid;
 				arglist args;
 
@@ -484,7 +481,7 @@ client_x11_get_proto(struct ssh *ssh, const char *display,
 				if (f != NULL)
 					fclose(f);
 				if (pid != 0)
-					(void)waitpid(pid, &status, 0);
+					(void)exited_cleanly(pid, "xauth", cmd, 1);
 				freeargs(&args);
 			}
 #else