no standard library in any programming language can fully stop our attack!
Rust does actually fix this by asking you to use std::env::args or std::env::args_os. The first will call GetCommandLineW() and do the UTF-16 to UTF-8 reencoding for you (panicing on orphaned surrogates) while the second will preserve orphaned surrogates.
Really impressive work. I imagine it’s something that’s going to be an issue for a really long time, and that people will continue to find ways to exploit this in all manner of seemingly innocuous applications.
Rust does actually fix this by asking you to use
std::env::argsorstd::env::args_os. The first will callGetCommandLineW()and do the UTF-16 to UTF-8 reencoding for you (panicing on orphaned surrogates) while the second will preserve orphaned surrogates.Really impressive work. I imagine it’s something that’s going to be an issue for a really long time, and that people will continue to find ways to exploit this in all manner of seemingly innocuous applications.
Robots in disguise.