Open janewang opened 3 months ago
@janewang @fnando @leighmcculloch Adding this here: https://blog.rust-lang.org/2024/04/09/cve-2024-24576.html
One exception though is cmd.exe (used among other things to execute batch files), which has its own argument splitting logic. That forces the standard library to implement custom escaping for arguments passed to batch files. Unfortunately it was reported that our escaping logic was not thorough enough, and it was possible to pass malicious arguments that would result in arbitrary shell execution.
I don't think this is an issue for our use of Command
. However, we should look into our deps and update rust version.
All Rust versions before 1.77.2 on Windows are affected, if your code or one of your dependencies executes batch files with untrusted arguments. Other platforms or other uses on Windows are not affected.
Remaining --alias
and contract init
(fix initialize.js
, which right is *nix only).
https://github.com/stellar/soroban-cli/issues/1248
When ^ is done, we can fix the last article that needs fixing.
Sorry, got over-zealous with github ticket assignments
We'd like to build a robust testing infrastructure for different Operating Systems (including windows) and provide the same level of support for Windows CLI users as other OSs. Where possible, we need to include Windows as a standard part of our testing infrastructure.
Given powershell is now available out of box in newer version of windows, we're going to align docs to powershell (not cmd).