But it got a 10/10 on the scoring system by Github.
The issue isn’t actually too much related to the Rust core language itself, but rather how they handle scripts on Windows platform. So if you don’t have a Windows program that runs Batch scripts, then it doesn’t matter to you. I wonder how common it is to run Batch scripts in Rust?
Also, the reason this is a CVE is because Rust itself guarantees that calling commands doesn’t evaluate shell stuff (but this breaks that guarantee). As far as I know C/C++ makes no such guarantee whatsoever.
At least it’s not a segfault, buffer overflow, or whatever else plagues C/C++ programs and is not easy to detect.
Anti Commercial AI thingy
CC BY-NC-SA 4.0
But it got a 10/10 on the scoring system by Github.
The issue isn’t actually too much related to the Rust core language itself, but rather how they handle scripts on Windows platform. So if you don’t have a Windows program that runs Batch scripts, then it doesn’t matter to you. I wonder how common it is to run Batch scripts in Rust?
This only matters when running the scripts with user inputs passed as arguments to the command, which I can’t imagine being remotely common at all.
I don’t think my company uses batch scripts anywhere, but if they did, it would probably be in the app installer for Windows or something.
Also, the reason this is a CVE is because Rust itself guarantees that calling commands doesn’t evaluate shell stuff (but this breaks that guarantee). As far as I know C/C++ makes no such guarantee whatsoever.
Our bug is their status quo.