[issue30730] Injecting environment variable in subprocess on Windows

2017-06-24 Thread Serhiy Storchaka 

Serhiy Storchaka added the comment:


New changeset e0d446e9caa38923e43818f78c94f95fe0aa995e by Serhiy Storchaka in 
branch '3.5':
[3.5] bpo-30745: Fix compiler warnings introduced in bpo-30730. (GH-2376) 
(#2379)
https://github.com/python/cpython/commit/e0d446e9caa38923e43818f78c94f95fe0aa995e


--

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue30730] Injecting environment variable in subprocess on Windows

2017-06-24 Thread Serhiy Storchaka 

Serhiy Storchaka added the comment:


New changeset 0e1f9e8d3ea82262cbb9a403b70a884da5e6a6ac by Serhiy Storchaka in 
branch '3.6':
[3.6] bpo-30745: Fix compiler warnings introduced in bpo-30730. (GH-2376) 
(#2378)
https://github.com/python/cpython/commit/0e1f9e8d3ea82262cbb9a403b70a884da5e6a6ac


--

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue30730] Injecting environment variable in subprocess on Windows

2017-06-24 Thread Serhiy Storchaka 

Changes by Serhiy Storchaka :


--
pull_requests: +2429

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue30730] Injecting environment variable in subprocess on Windows

2017-06-24 Thread Serhiy Storchaka 

Changes by Serhiy Storchaka :


--
pull_requests: +2427

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue30730] Injecting environment variable in subprocess on Windows

2017-06-24 Thread Serhiy Storchaka 

Serhiy Storchaka added the comment:


New changeset 0ee32c148119031e19c79359f5c4789ee69fa355 by Serhiy Storchaka in 
branch 'master':
bpo-30745: Fix compiler warnings introduced in bpo-30730. (#2376)
https://github.com/python/cpython/commit/0ee32c148119031e19c79359f5c4789ee69fa355


--

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue30730] Injecting environment variable in subprocess on Windows

2017-06-24 Thread Serhiy Storchaka 

Changes by Serhiy Storchaka :


--
pull_requests: +2424

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue30730] Injecting environment variable in subprocess on Windows

2017-06-24 Thread Serhiy Storchaka 

Serhiy Storchaka added the comment:


New changeset 9dda2caca8edc7ff1285f6b0d1c5279b51854b7d by Serhiy Storchaka in 
branch '2.7':
[2.7] bpo-30730: Prevent environment variables injection in subprocess on 
Windows. (GH-2325) (#2372)
https://github.com/python/cpython/commit/9dda2caca8edc7ff1285f6b0d1c5279b51854b7d


--

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue30730] Injecting environment variable in subprocess on Windows

2017-06-23 Thread Serhiy Storchaka 

Changes by Serhiy Storchaka :


--
pull_requests: +2420

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue30730] Injecting environment variable in subprocess on Windows

2017-06-23 Thread Serhiy Storchaka 

Serhiy Storchaka added the comment:

3.3 and 3.4 starves from this issue

--
versions: +Python 2.7

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue30730] Injecting environment variable in subprocess on Windows

2017-06-23 Thread Serhiy Storchaka 

Changes by Serhiy Storchaka :


--
nosy: +georg.brandl
stage: patch review -> backport needed
versions: +Python 3.3, Python 3.4 -Python 2.7

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue30730] Injecting environment variable in subprocess on Windows

2017-06-23 Thread Serhiy Storchaka 

Changes by Serhiy Storchaka :


--
pull_requests: +2412

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue30730] Injecting environment variable in subprocess on Windows

2017-06-23 Thread Serhiy Storchaka 

Changes by Serhiy Storchaka :


--
pull_requests: +2411

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue30730] Injecting environment variable in subprocess on Windows

2017-06-23 Thread Serhiy Storchaka 

Serhiy Storchaka added the comment:


New changeset a7c0264735f46afab13771be4218d8eab0d7dc91 by Serhiy Storchaka in 
branch '3.5':
[3.5] bpo-30730: Prevent environment variables injection in subprocess on 
Windows. (GH-2325) (#2361)
https://github.com/python/cpython/commit/a7c0264735f46afab13771be4218d8eab0d7dc91


--

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue30730] Injecting environment variable in subprocess on Windows

2017-06-23 Thread Serhiy Storchaka 

Serhiy Storchaka added the comment:


New changeset e7135751b8e48af80665e40ac8fa6d0073e5affe by Serhiy Storchaka in 
branch '3.6':
[3.6] bpo-30730: Prevent environment variables injection in subprocess on 
Windows. (GH-2325) (#2360)
https://github.com/python/cpython/commit/e7135751b8e48af80665e40ac8fa6d0073e5affe


--

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue30730] Injecting environment variable in subprocess on Windows

2017-06-23 Thread Serhiy Storchaka 

Changes by Serhiy Storchaka :


--
pull_requests: +2410

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue30730] Injecting environment variable in subprocess on Windows

2017-06-23 Thread Serhiy Storchaka 

Changes by Serhiy Storchaka :


--
pull_requests: +2409

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue30730] Injecting environment variable in subprocess on Windows

2017-06-23 Thread Serhiy Storchaka 

Serhiy Storchaka added the comment:


New changeset d174d24a5d37d1516b885dc7c82f71ecd5930700 by Serhiy Storchaka in 
branch 'master':
bpo-30730: Prevent environment variables injection in subprocess on Windows. 
(#2325)
https://github.com/python/cpython/commit/d174d24a5d37d1516b885dc7c82f71ecd5930700


--

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue30730] Injecting environment variable in subprocess on Windows

2017-06-23 Thread Serhiy Storchaka 

Changes by Serhiy Storchaka :


--
assignee:  -> serhiy.storchaka

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue30730] Injecting environment variable in subprocess on Windows

2017-06-22 Thread Serhiy Storchaka 

New submission from Serhiy Storchaka:

It is possible to inject an environment variable in subprocess on Windows if a 
user data is passed to a subprocess via environment variable.

Provided PR fixes this vulnerability. It also adds other checks for invalid 
environment (variable names containing '=') and command arguments (containing 
'\0').

This was a part of issue13617, but extracted to a separate issue due to 
increased severity.

--
components: Extension Modules
messages: 296618
nosy: paul.moore, serhiy.storchaka, steve.dower, tim.golden, zach.ware
priority: normal
severity: normal
stage: patch review
status: open
title: Injecting environment variable in subprocess on Windows
type: security
versions: Python 2.7, Python 3.5, Python 3.6, Python 3.7

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue30730] Injecting environment variable in subprocess on Windows

2017-06-22 Thread Serhiy Storchaka 

Changes by Serhiy Storchaka :


--
pull_requests: +2374

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com