Were there actually any real-world use-cases affected by this? Do any of them not deserve to be named and shamed irregardless of this vulnerability?
If it was up to me, I would nuke the cmd custom implementation, leave some helpful compile error messages behind, and direct users to some 3rd party crates to choose from.
Edit: to be clear, there is no “custom implementation” of cmd itself, nor is the problem exclusive to Rust. This is a problem with the Windows cmd itself.
Were there actually any real-world use-cases affected by this? Do any of them not deserve to be named and shamed irregardless of this vulnerability?
If it was up to me, I would nuke the cmd custom implementation, leave some helpful compile error messages behind, and direct users to some 3rd party crates to choose from.
What custom implementation? The escaping logic?
Edit: to be clear, there is no “custom implementation” of
cmditself, nor is the problem exclusive to Rust. This is a problem with the Windowscmditself.Doing such a regression on a Tier 1 target would be a really big blow to the language’s reputation imo