Simon Michael
Simon Michael
https://github.com/commercialhaskell/stackage/pull/7405
hledger-web is also blocked by depending on base64
> > When executing .bat or .cmd files, CreateProcess implicitly spawns cmd.exe. The System.Process command line construction does not escape characters with special meaning to cmd.exe. As a consequence, a...
https://github.com/haskell/security-advisories/blob/main/advisories/hackage/process/HSEC-2024-0003.md#demonstration seems to show how you could cause hledger to execute commands other than hledger addons, eg a command something like `hledger foo "\"&calc.exe"` could execute calc.exe. It's not clear...
I found a Windows VM. Yes, you can reproduce this issue very easily with hledger-1.33 in Powershell like so - this runs hledger-foo.bat and also starts notepad: ``` PS C:\Users\Simon...
1.33.1 released with relaxed process bound.
And finally: hledger is back in stackage nightly as of nightly-2024-05-10.
Here's my related comment on the parent issue #1950, suggesting things to help move this forward: https://github.com/simonmichael/hledger/issues/1950#issuecomment-1382899511
I didn't see anything related in the 1.27 release notes. I suspect it's this breaking change mentioned in the [1.25 release notes](https://hledger.org/release-notes.html#hledger-125), but I don't know why the behaviour changes...
Actually, that change log item was subsequently changed (I'll update the release notes): > The rule for auto-detecting "cash" (liquid asset) accounts in the `cashflow` report has changed: it's now...