• @cogman
    link
    169 months ago

    This, btw, is why CVE scores are insane at times.

    The vulnerability is that when spawning a new process which is a bat file you need special treatment of the arguments to avoid spawning a second process.

    So you need a rust program setup to spawn other processes which also somehow forwards unparsed user input into those processes and is executing a bat file.

    There’s a reason nobody has fixed this, it’s because it’s an insane setup that affects basically no rust programs.