Introduction Hello, I’m RyotaK ( @ryotkak ), a security engineer at Flatt Security Inc. Recently, I reported multiple vulnerabilities to several programming languages that allowed an attacker to perform command injection on Windows when the specific conditions were satisfied. Today, affected vendors published advisories of these vulnerabilities 1, so I’m documenting the details here to provide more information about the vulnerabilities and minimize the confusion regarding the high CVSS score.
  • @FizzyOrangeEnglish
    46 months ago

    You wouldn’t be hosed on Linux for example. Note that this applies to the arguments to the program, not just the program itself.

    In other words if I do run(["echo", untrusted_input]) it would be totally fine on Linux.

    • @[email protected]English
      -26 months ago

      honestly i wouldn’t trust your linux example at all, what happens with run([“echo”, “&& rm -rf /“])

      • @arendjrEnglish
        56 months ago

        It would print “&& rm -rf /“ and nothing bad would happen.