This isn’t Rust specific. It’s really difficult to securely start a command in Windows. I highly recommend to read https://flatt.tech/research/posts/batbadbut-you-cant-securely-execute-commands-on-windows/.
I’m honestly surprised windows can even exist at this point.
It’s mind-boggling to me that people would dedicate their lives to learning that system when it’s such a shoddy piece of crap.
It’s amazing what a motivator money can be.
Funny how the headline makes it sound like a Rust specific problem, as if the Rust language is unsafe or the core team was incompetent, but then other affected language standard libraries include
- Erlang (documentation update)
- Go (documentation update)
- Haskell (patch available)
- Java (won’t fix)
- Node.js (patch will be available)
- PHP (patch will be available)
- Python (documentation update)
- Ruby (documentation update)
So actually this is a vulnerability that originates in Windows, and Rust and Haskell are the only languages that are actually protecting users from it as of right now, with Node.js and PHP to follow.