Message 296618 - Python tracker

➜

This issue tracker has been migrated to GitHub , and is currently read-only.
For more information, see the GitHub FAQs in the Python's Developer Guide.

In-reply-to
Author	serhiy.storchaka
Recipients	paul.moore, serhiy.storchaka, steve.dower, tim.golden, zach.ware
Date	2017年06月22日.08:06:59
SpamBayes Score	-1.0
Marked as misclassified	Yes
Message-id	<1498118820.13.0.596038385019.issue30730@psf.upfronthosting.co.za>

Content
It is possible to inject an environment variable in subprocess on Windows if a user data is passed to a subprocess via environment variable. Provided PR fixes this vulnerability. It also adds other checks for invalid environment (variable names containing '=') and command arguments (containing '0円'). This was a part of issue13617, but extracted to a separate issue due to increased severity.

Content

It is possible to inject an environment variable in subprocess on Windows if a user data is passed to a subprocess via environment variable.
Provided PR fixes this vulnerability. It also adds other checks for invalid environment (variable names containing '=') and command arguments (containing '0円').
This was a part of issue13617, but extracted to a separate issue due to increased severity.

History
Date	User	Action	Args
2017年06月22日 08:07:00	serhiy.storchaka	set	recipients: + serhiy.storchaka, paul.moore, tim.golden, zach.ware, steve.dower
2017年06月22日 08:07:00	serhiy.storchaka	set	messageid: <1498118820.13.0.596038385019.issue30730@psf.upfronthosting.co.za>
2017年06月22日 08:06:59	serhiy.storchaka	link	issue30730 messages
2017年06月22日 08:06:59	serhiy.storchaka	create

homepage