Author serhiy.storchaka
Recipients paul.moore, serhiy.storchaka, steve.dower, tim.golden, zach.ware
Date 2017-06-22.08:06:59
SpamBayes Score -1.0
Marked as misclassified Yes
Message-id <1498118820.13.0.596038385019.issue30730@psf.upfronthosting.co.za>
In-reply-to
Content
It is possible to inject an environment variable in subprocess on Windows if a user data is passed to a subprocess via environment variable.

Provided PR fixes this vulnerability. It also adds other checks for invalid environment (variable names containing '=') and command arguments (containing '\0').

This was a part of issue13617, but extracted to a separate issue due to increased severity.
History
Date User Action Args
2017-06-22 08:07:00serhiy.storchakasetrecipients: + serhiy.storchaka, paul.moore, tim.golden, zach.ware, steve.dower
2017-06-22 08:07:00serhiy.storchakasetmessageid: <1498118820.13.0.596038385019.issue30730@psf.upfronthosting.co.za>
2017-06-22 08:06:59serhiy.storchakalinkissue30730 messages
2017-06-22 08:06:59serhiy.storchakacreate