voltone
commented
2 months ago Not sure the comment to include the extension when running binaries is really necessary: we later say that "note that the {spawn_executable, FileName} form requires specifying the full path to the executable", so it looks like the extension would be required anyway, and a .bat/.cmd file with the same name wouldn't be accidentally run instead...
See https://erlangforums.com/t/user-controlled-arguments-to-open-port-2-with-spawn-spawn-executable-is-insecure-on-windows/3476 and https://flatt.tech/research/posts/batbadbut-you-cant-securely-execute-commands-on-windows/