This issue tracker has been migrated to GitHub, and is currently read-only.
For more information, see the GitHub FAQs in the Python's Developer Guide.

Author abigail
Recipients abigail, paul.moore, steve.dower, tim.golden, zach.ware
Date 2018-05-15.11:01:31
SpamBayes Score -1.0
Marked as misclassified Yes
Message-id <1526382091.26.0.682650639539.issue33515@psf.upfronthosting.co.za>
In-reply-to
Content 
It's possible to invoke an application without interpreting any of its arguments as shell magic:

>>> print(subprocess.check_output(["C:/testapplication.exe", "foo", "&&", "echo", "%PROGRAMFILES%"]))
Hello world from application! 5 arguments:
Argument 0: 'C:/testapplication.exe'
Argument 1: 'foo'
Argument 2: '&&'
Argument 3: 'echo'
Argument 4: '%PROGRAMFILES%'

But not so for batch scripts:

>>> print(subprocess.check_output(["C:/testscript.bat", "foo", "&&", "echo", "%PROGRAMFILES%"]))
Hello world from script! 2 arguments:
Argument 0: 'C:/testscript.bat'
Argument 1: 'foo'
C:\Program Files

I don't know if this is a fundamental limitation of Windows' batch script processing, or of the Win32 CreateProcess API, but this looks exploitable, as it allows shell injection: the subprocess docs warn about shell injection in a big red box, and promise you'll be safe if you a list of arguments and the default shell=False.

Tested on Python 2.7.15 and Python 3.6.5.
History
Date User Action Args
2018-05-15 11:01:31abigailsetrecipients: + abigail, paul.moore, tim.golden, zach.ware, steve.dower
2018-05-15 11:01:31abigailsetmessageid: <1526382091.26.0.682650639539.issue33515@psf.upfronthosting.co.za>
2018-05-15 11:01:31abigaillinkissue33515 messages
2018-05-15 11:01:31abigailcreate