It also uses %C to pass a list of file paths. This is broadly unsafe and can cause command execution if you modify a file named, e.g., ; rm -rf xyz or similar. I think it would be difficult to turn this into an attack but it's fairly bad. This dates from D5144 in 2013.
- Maniphest Tasks
- T13209: How To Properly Escape Commands on Windows (A Dark Tragedy)
T13210: Plans: 2018 Week 41-44 Bonus Content
- rARCea6796fea5d0: (stable) Promote 2018 Week 43
rARC637c6584c6ea: (experimental) Work around a Windows escaping issue and security conecern in…
rARC83661809e532: Work around a Windows escaping issue and security conecern in "hg cat --output .