New submission from Sergey G. Brester <serg.bres...@sebres.de>: There is a vulnerability "insufficient escape of special chars for quoting of arguments by exec process" for python-language, if executing windows batch-files (bat/cmd).
### What version of python is affected? All ### Does this issue reproduce with the latest master? Yes ### What did you do? Execution of batch-file using `subprocess` module with arguments containing some special meta-characters. A recipe for reproducing the error as well as more extensive PoC with additional info (and more lang's affected also): - https://github.com/sebres/PoC/blob/master/SB-0D-001-win-exec/README.md A complete runnable program: - https://github.com/sebres/PoC/blob/master/SB-0D-001-win-exec/test-dump-inv.py #### A simple example: ```diff # invoke exe-file: >>> import subprocess >>> subprocess.call(['test-dump.exe', 'test&whoami']) + `test-dump.exe´ `test&whoami´ # invoke cmd-file: >>> subprocess.call(['test-dump.CMD', 'test&whoami']) - `test-dump.exe´ `test´my_domain\sebres ``` For more "broken" cases, see the result of my test-suite: - https://github.com/sebres/PoC/blob/master/SB-0D-001-win-exec/results/python.diff ### What did you expect to see? Arguments are escaped/quoted properly. ### What did you see instead? Arguments are insufficient escaped/quoted, so it is vulnerable currently. ### Solution: For possible solution see the github-PR#8906: - https://github.com/python/cpython/pull/8906 For algorithm description: - https://github.com/sebres/PoC/blob/master/SB-0D-001-win-exec/SOLUTION.md resp. how it was fixed in TCL (C-code): - https://core.tcl-lang.org/tcl/vdiff?from=core-8-5-branch&to=0-day-21b0629c81 (see the function `BuildCommandLine`) ### Possible similar issues: bpo-33515 ---------- components: Library (Lib), Windows messages: 324013 nosy: paul.moore, sebres, steve.dower, tim.golden, zach.ware priority: normal pull_requests: 8376 severity: normal status: open title: subprocess: execution of batch-files (.cmd/.bat) is vulnerable in python for windows / insufficient escape type: security versions: Python 2.7, Python 3.4, Python 3.5, Python 3.6, Python 3.7, Python 3.8 _______________________________________ Python tracker <rep...@bugs.python.org> <https://bugs.python.org/issue34489> _______________________________________ _______________________________________________ Python-bugs-list mailing list Unsubscribe: https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
