Author serhiy.storchaka
Recipients paul.moore, serhiy.storchaka, steve.dower, tim.golden, zach.ware
Date 2017-06-22.08:06:59
SpamBayes Score -1.0
Marked as misclassified Yes
Message-id <>
It is possible to inject an environment variable in subprocess on Windows if a user data is passed to a subprocess via environment variable.

Provided PR fixes this vulnerability. It also adds other checks for invalid environment (variable names containing '=') and command arguments (containing '\0').

This was a part of issue13617, but extracted to a separate issue due to increased severity.
Date User Action Args
2017-06-22 08:07:00serhiy.storchakasetrecipients: + serhiy.storchaka, paul.moore, tim.golden, zach.ware, steve.dower
2017-06-22 08:07:00serhiy.storchakasetmessageid: <>
2017-06-22 08:06:59serhiy.storchakalinkissue30730 messages
2017-06-22 08:06:59serhiy.storchakacreate