And in fact it’s not specific to Rust, and Rust is the first language with a fix available. (Thanks to some other comments for pointing this out.) Java has apparently declared it “won’t fix.”
I looked at the diff, it’s around 100 lines of new code and a few hundred lines of comments and tests.
I couldn’t have written it, but there are many smarter people that fixed it after they learned of the problem.
What also made it easier to fix is that they (sensibly) chose to error on certain strings that can’t be escaped safely.
It’s not a proper fix, there are still cases when correct escaping is impossible and the function simply returns a error. I don"t know if if this possible at all to escape any string or if it is just because of lack of documentation, but anyway i wouldn’t call this a thing that is easy to fix.
Now that it has been identified, it should be an easy fix, at least.
Still, it’s important to remember that Rust is still a relatively young ecosystem and flaws like this exist until we get burned by them.
And in fact it’s not specific to Rust, and Rust is the first language with a fix available. (Thanks to some other comments for pointing this out.) Java has apparently declared it “won’t fix.”
https://flatt.tech/research/posts/batbadbut-you-cant-securely-execute-commands-on-windows/#appendix-b-status-of-the-affected-programming-languages
But it’s not. Have you read the article?
I looked at the diff, it’s around 100 lines of new code and a few hundred lines of comments and tests.
I couldn’t have written it, but there are many smarter people that fixed it after they learned of the problem.
What also made it easier to fix is that they (sensibly) chose to error on certain strings that can’t be escaped safely.
It’s not a proper fix, there are still cases when correct escaping is impossible and the function simply returns a error. I don"t know if if this possible at all to escape any string or if it is just because of lack of documentation, but anyway i wouldn’t call this a thing that is easy to fix.