Does this registry entry for implementing custom protocol handlers in Windows present a security risk?


Background

Some features are not yet available on the web platform and thus require cooperation with a native application in order to provide them. One method for a web application and a native application to communicate with each other is a custom protocol handler.

For instance, the web application can call "mycustomproto://some/params", where "mycustomproto" must first be registered with the operating system as a valid URI protocol. On Windows, this is done in the registry. There are a few keys/subkeys/values etc that must be added to the registry, but only one actually deals with specifying the executable and it’s parameter(s).

Note that once the protocol handler is registered with the operating system, it can be launched by any website that knows of its existence, subjecting it to potential abuse.


Example Windows registry value for this purpose

All of the examples that I’ve found documenting this show the following:

C:\myapp.exe "%1"


Primary Question

Assuming that the registered handler (e.g. "myapp.exe") has zero possible security flaws, is the above example registry value sufficient for ensuring that malicious websites are unable to piggyback additional commands and/or arguments?


Clarifications

  • For the purpose of this question, please assume that the protocol handler (e.g. "myapp.exe") is incapable of exposing vulnerabilities of its own – it’s idle – it launches, does nothing, and quits. This question is specifically related to the browser and/or OS and the "execution" of this registry value.
  • Can malicious actors somehow escape out of the "%1" double quotes and cause the browser and/or OS to run additional commands (e.g. && C:\Win32\do-something-malicious.example.exe)?
  • Similarly, can malicious actors somehow send additional arguments to the protocol handler? Or does the "%1" ensure that the handler will only ever receive a single argument?
  • If this registry value is insufficient to only ever call the protocol handler (and nothing more) with a single argument, is there a better way?