• arendjr@programming.dev
    link
    fedilink
    English
    arrow-up
    3
    ·
    7 months ago

    take in user sourced input without any sanitization

    But that’s exactly the problem: these applications were sanitizing the input using the APIs provided by their language standard libraries. Except that sanitization proved insufficient because the requirements for sanitization differ greatly when the command is interpreted by cmd.exe as opposed to running regular executables. This is such a big footgun in the Windows API that it was overlooked by seemingly every major programming language implementation out there.