[HN Gopher] BatBadBut: You can't securely execute commands on Wi...
       ___________________________________________________________________
        
       BatBadBut: You can't securely execute commands on Windows
        
       Author : explodingwaffle
       Score  : 15 points
       Date   : 2024-04-09 20:05 UTC (2 hours ago)
        
 (HTM) web link (flatt.tech)
 (TXT) w3m dump (flatt.tech)
        
       | tmgross wrote:
       | Is there any reason Windows couldn't add an equivalent of execvpe
       | for arguments and environment to be passed as arrays, which newer
       | programs could then use directly? The OS could handle safely re-
       | quoting as a string for older programs that need compatibility,
       | rather than leaving it up to the language or programmer to
       | hopefully do right. Which seems pretty difficult, based on the
       | fact that seven major languages got a CVE today - plus a possible
       | exploit in every C application that is doing this by hand.
       | 
       | The API could even be a more modern pointer+length interface
       | rather than null termination, to sidestep that class of
       | mistakes/exploits (CWE-170).
       | 
       | https://www.daviddeley.com/autohotkey/parameters/parameters....
       | is a great read on how fragmented this all seems to be.
        
       | whoisthemachine wrote:
       | This seems more like a gap in the windows API than in the
       | programming languages.
        
       ___________________________________________________________________
       (page generated 2024-04-09 23:01 UTC)