コマンドプロンプトでの引数エスケープなぁ……
魔境らしいとは聞いたことがあったが、そこまでか
> Due to the complexity of `cmd.exe`, we didn't identify a solution that would correctly escape arguments in all cases. To maintain our API guarantees, we improved the robustness of the escaping code, and changed the `Command` API to return an `InvalidInput` error when it cannot safely escape an argument.
BatBadBut: You can't securely execute commands on Windows - Flatt Security Research
https://flatt.tech/research/posts/batbadbut-you-cant-securely-execute-commands-on-windows/
こわすぎ
flatt.tech · BatBadBut: You can't securely execute commands on WindowsIntroduction Hello, I’m RyotaK ( @ryotkak ), a security engineer at Flatt Security Inc.
Recently, I reported multiple vulnerabilities to several programming languages that allowed an attacker to perform command injection on Windows when the specific conditions were satisfied.
Today, affected vendors published advisories of these vulnerabilities 1, so I’m documenting the details here to provide more information about the vulnerabilities and minimize the confusion regarding the high CVSS score.
