Message296618
It is possible to inject an environment variable in subprocess on Windows if a user data is passed to a subprocess via environment variable.
Provided PR fixes this vulnerability. It also adds other checks for invalid environment (variable names containing '=') and command arguments (containing '\0').
This was a part of issue13617, but extracted to a separate issue due to increased severity. |
|
Date |
User |
Action |
Args |
2017-06-22 08:07:00 | serhiy.storchaka | set | recipients:
+ serhiy.storchaka, paul.moore, tim.golden, zach.ware, steve.dower |
2017-06-22 08:07:00 | serhiy.storchaka | set | messageid: <1498118820.13.0.596038385019.issue30730@psf.upfronthosting.co.za> |
2017-06-22 08:06:59 | serhiy.storchaka | link | issue30730 messages |
2017-06-22 08:06:59 | serhiy.storchaka | create | |
|