And in fact it’s not specific to Rust, and Rust is the first language with a fix available. (Thanks to some other comments for pointing this out.) Java has apparently declared it “won’t fix.”
I looked at the diff, it’s around 100 lines of new code and a few hundred lines of comments and tests.
I couldn’t have written it, but there are many smarter people that fixed it after they learned of the problem.
What also made it easier to fix is that they (sensibly) chose to error on certain strings that can’t be escaped safely.
Now that it has been identified, it should be an easy fix, at least.
Still, it’s important to remember that Rust is still a relatively young ecosystem and flaws like this exist until we get burned by them.
And in fact it’s not specific to Rust, and Rust is the first language with a fix available. (Thanks to some other comments for pointing this out.) Java has apparently declared it “won’t fix.”
https://flatt.tech/research/posts/batbadbut-you-cant-securely-execute-commands-on-windows/#appendix-b-status-of-the-affected-programming-languages
But it’s not. Have you read the article?
I looked at the diff, it’s around 100 lines of new code and a few hundred lines of comments and tests.
I couldn’t have written it, but there are many smarter people that fixed it after they learned of the problem.
What also made it easier to fix is that they (sensibly) chose to error on certain strings that can’t be escaped safely.