Critical Rust flaw enables Windows command injection attacks - eviltoast
    • anton@lemmy.blahaj.zone
      link
      fedilink
      arrow-up
      1
      ·
      7 months ago

      I looked at the diff, it’s around 100 lines of new code and a few hundred lines of comments and tests.
      I couldn’t have written it, but there are many smarter people that fixed it after they learned of the problem.

      What also made it easier to fix is that they (sensibly) chose to error on certain strings that can’t be escaped safely.

      • bizdelnick@lemmy.ml
        link
        fedilink
        arrow-up
        1
        ·
        7 months ago

        It’s not a proper fix, there are still cases when correct escaping is impossible and the function simply returns a error. I don"t know if if this possible at all to escape any string or if it is just because of lack of documentation, but anyway i wouldn’t call this a thing that is easy to fix.