• Sekoia@lemmy.blahaj.zone
      link
      fedilink
      arrow-up
      16
      arrow-down
      3
      ·
      9 months ago

      Also, the reason this is a CVE is because Rust itself guarantees that calling commands doesn’t evaluate shell stuff (but this breaks that guarantee). As far as I know C/C++ makes no such guarantee whatsoever.

      • xmunk
        link
        fedilink
        arrow-up
        6
        ·
        9 months ago

        C++ has no guarantees built into stdlib but frameworks like Qt provide safe access - the ecosystem has options. C++ itself is quite a simple language, most of the power comes out of toolsets and frameworks built on top of it.

          • xmunk
            link
            fedilink
            arrow-up
            2
            arrow-down
            3
            ·
            9 months ago

            Vanishingly small. In Qt that’d have to be an issue in QStringList IIRC.

            • arendjr@programming.dev
              link
              fedilink
              arrow-up
              5
              arrow-down
              2
              ·
              edit-2
              9 months ago

              That’s certainly not the case, because that’s like saying the issue is with Rust’s string slices. I think you may have missed the part of the issue where batch scripts require additional escaping due to Windows’ command handling. It’s a ridiculous design of the Windows API system, which is also why (almost?) every language they tested was vulnerable, so it would be actually very outstanding if Qt prevented this.

              For C++ devs not using Qt it’s just another footgun they’ll likely keep introducing security issues with as well. But if you do use Qt, I think it’s better to double-check since it may also require a patch.