Critical Rust flaw enables Windows command injection attacks

0x0@programming.dev · 7 months ago

Critical Rust flaw enables Windows command injection attacks

FizzyOrange@programming.dev · 7 months ago

Seems a bit clickbaity to me. It’s a flaw in Windows/cmd.exe, not Rust. Rust is just called out because it tries to emulated proper argument passing on Windows (and didn’t get it perfectly right). All languages are affected by this but most of them just throw their hands in the air and say “you’re on your own”:

Erlang (documentation update)
Go (documentation update)
Haskell (patch available)
Java (won’t fix)
Node.js (patch will be available)
PHP (patch will be available)
Python (documentation update)
Ruby (documentation update)

It’s also extremely unlikely that you’d be running a bat script with untrusted arguments on Windows.

onlinepersona@programming.dev · 7 months ago

At least it’s not a segfault, buffer overflow, or whatever else plagues C/C++ programs and is not easy to detect.

Anti Commercial AI thingy

CC BY-NC-SA 4.0

Sekoia@lemmy.blahaj.zone · 7 months ago

Also, the reason this is a CVE is because Rust itself guarantees that calling commands doesn’t evaluate shell stuff (but this breaks that guarantee). As far as I know C/C++ makes no such guarantee whatsoever.

Buttons@programming.dev · 7 months ago

Our bug is their status quo.