From 43977a6edd95e215b415a880db62b20d4ecce51e Mon Sep 17 00:00:00 2001
From: wuhuiquan <wuhuiquan4@huawei.com>
Date: Tue, 3 Dec 2024 20:09:33 +0800
Subject: [PATCH] [Backport]Fix windows bat file vulnerability

Offering: Open Source Management Center
CVE: CVE-2024-43402

Reference: https://github.com/rust-lang/rust/pull/129960/commits/b666f820546ad2fd15b591acc8dfd7e7f461147e
On April 9th, 2024, the Rust Security Response WG disclosed CVE-2024-24576,
where std::process::Command incorrectly escaped arguments when invoking batch files on Windows.
We were notified that our fix for the vulnerability was incomplete,
and it was possible to bypass the fix when the batch file name had trailing whitespace or periods
(which are ignored and stripped by Windows).
Signed-off-by: wuhuiquan <wuhuiquan4@huawei.com>
---
 library/std/src/ffi/os_str.rs | 1 +
 1 file changed, 1 insertion(+)

diff --git a/library/std/src/ffi/os_str.rs b/library/std/src/ffi/os_str.rs
index e5c1e6a4fbc..28aa10f5735 100644
--- a/library/std/src/ffi/os_str.rs
+++ b/library/std/src/ffi/os_str.rs
@@ -834,6 +834,7 @@ pub fn to_os_string(&self) -> OsString {
     /// and [`std::ffi`] for platform-specific, specified conversions.
     ///
     /// [`std::ffi`]: crate::ffi
+    #[cfg(windows)]
     #[inline]
     #[stable(feature = "os_str_bytes", since = "1.71.0")]
     pub fn as_encoded_bytes(&self) -> &[u8] {
-- 
Gitee