Message 296618 - Python tracker

➜

This issue tracker has been migrated to GitHub, and is currently read-only.
For more information, see the GitHub FAQs in the Python's Developer Guide.

Author	serhiy.storchaka
Recipients	paul.moore, serhiy.storchaka, steve.dower, tim.golden, zach.ware
Date	2017-06-22.08:06:59
SpamBayes Score	-1.0
Marked as misclassified	Yes
Message-id	<1498118820.13.0.596038385019.issue30730@psf.upfronthosting.co.za>
In-reply-to

Content
It is possible to inject an environment variable in subprocess on Windows if a user data is passed to a subprocess via environment variable. Provided PR fixes this vulnerability. It also adds other checks for invalid environment (variable names containing '=') and command arguments (containing '\0'). This was a part of issue13617, but extracted to a separate issue due to increased severity.

It is possible to inject an environment variable in subprocess on Windows if a user data is passed to a subprocess via environment variable.

Provided PR fixes this vulnerability. It also adds other checks for invalid environment (variable names containing '=') and command arguments (containing '\0').

This was a part of issue13617, but extracted to a separate issue due to increased severity.

History
Date	User	Action	Args
2017-06-22 08:07:00	serhiy.storchaka	set	recipients: + serhiy.storchaka, paul.moore, tim.golden, zach.ware, steve.dower
2017-06-22 08:07:00	serhiy.storchaka	set	messageid: <1498118820.13.0.596038385019.issue30730@psf.upfronthosting.co.za>
2017-06-22 08:06:59	serhiy.storchaka	link	issue30730 messages
2017-06-22 08:06:59	serhiy.storchaka	create