[issue30730] [security] Injecting environment variable in subprocess on Windows

Change by Ned Deily : -- Removed message: https://bugs.python.org/msg342094 ___ Python tracker ___ ___ Python-bugs-list mailing list

[issue30730] [security] Injecting environment variable in subprocess on Windows

Ned Deily added the comment: New changeset fe82c46327effc124ff166e1fa1e611579e1176b by larryhastings (Serhiy Storchaka) in branch '3.4': [security][3.4] bpo-30730: Prevent environment variables injection in subprocess on Windows. (GH-2325) (#2362) https://github.com/python/cpython/commit/fe8

[issue30730] [security] Injecting environment variable in subprocess on Windows

Larry Hastings added the comment: New changeset b1549175ed30f2931e2bb980a7e3c360ed19e1c9 by larryhastings (Victor Stinner) in branch '3.4': [3.4] Backport CI config from master (#2475) https://github.com/python/cpython/commit/b1549175ed30f2931e2bb980a7e3c360ed19e1c9 -- __

[issue30730] [security] Injecting environment variable in subprocess on Windows

Changes by Serhiy Storchaka : -- resolution: -> fixed stage: backport needed -> resolved status: open -> closed ___ Python tracker ___ __

[issue30730] [security] Injecting environment variable in subprocess on Windows

Ned Deily added the comment: New changeset e46f1c19642ea1882f427d8246987ba49351a97d by Ned Deily (Serhiy Storchaka) in branch '3.3': [security][3.3] bpo-30730: Prevent environment variables injection in subprocess on Windows. (GH-2325) (#2363) https://github.com/python/cpython/commit/e46f1c196

[issue30730] [security] Injecting environment variable in subprocess on Windows

Serhiy Storchaka added the comment: Oh, I forgot that null character/byte errors were of type TypeError before 3.5. The simplest fix is changing corresponding ValueError in self.assertRaises() to the tuple (ValueError, TypeError). I have updated the PR for 3.5. You can include the fix in your

[issue30730] [security] Injecting environment variable in subprocess on Windows

STINNER Victor added the comment: I rebased my "[3.4] Backport CI config from master" PR #2475 on top of 3.4 to test the new security fixes, but a few test_subprocess tests failed: https://github.com/python/cpython/pull/2475 https://travis-ci.org/python/cpython/jobs/252804589 =

[issue30730] [security] Injecting environment variable in subprocess on Windows

Serhiy Storchaka added the comment: Sorry, actually the patch fixed two bugs. The one of them is a security issue, the other is much more severe. They look similar, are related to the same code (on Windows) and are tested with similar tests. os.execve() was not vulnerable to the first issue, i

[issue30730] [security] Injecting environment variable in subprocess on Windows

Larry Hastings added the comment: New changeset fe82c46327effc124ff166e1fa1e611579e1176b by larryhastings (Serhiy Storchaka) in branch '3.4': [security][3.4] bpo-30730: Prevent environment variables injection in subprocess on Windows. (GH-2325) (#2362) https://github.com/python/cpython/commit/

[issue30730] [security] Injecting environment variable in subprocess on Windows

Larry Hastings added the comment: (never-mind, 3.6.1 still permits this, but I see that it's been fixed in trunk) -- ___ Python tracker ___ __

[issue30730] [security] Injecting environment variable in subprocess on Windows

Larry Hastings added the comment: It seems that os.execve() still permits this, even on Windows. Shouldn't we solve it there too? (Thanks to Steve Dower for realizing this.) -- import os cmdline=["/usr/bin/printenv"] env={'a=b': 'c'} os.execve(cmdline[0], cmdline, env) # this prints a=b=c

[issue30730] [security] Injecting environment variable in subprocess on Windows

Larry Hastings added the comment: Serhiy, I don't see where you got a full review of this change. Eryksun reviewed the code and asked for changes; you made the he asked for changes but didn't get any further review. Nor did you get a full review / "looks good to me" from anybody. As a matte

[issue30730] [security] Injecting environment variable in subprocess on Windows

Ned Deily added the comment: New changeset a9b16cff35811f88cdfeb4f50758140dfff36ebc by Ned Deily (Serhiy Storchaka) in branch '3.6': [3.6] bpo-30730: Prevent environment variables injection in subprocess on Windows. (GH-2325) (#2360) https://github.com/python/cpython/commit/a9b16cff35811f88cdf

[issue30730] [security] Injecting environment variable in subprocess on Windows

Serhiy Storchaka added the comment: Yes, fsencode() already rejected embedded nulls, that is why the Posix branch doesn't need additional check for null characters. The Posix branch was changed only for adding the check for the '=' character in names. -- __

[issue30730] [security] Injecting environment variable in subprocess on Windows

Steve Dower added the comment: It's certainly exploitable for remote code execution if user data allows embedded nulls (can you URL encode %00?). The fixes look fine and shouldn't cause any new issues, though I thought that fsencode() already rejected embedded nulls - maybe I'm thinking of the

[issue30730] [security] Injecting environment variable in subprocess on Windows

Ned Deily added the comment: Steve, Paul: any comments on the severity of this issue and the pushed fixes? -- nosy: +benjamin.peterson, larry, ned.deily priority: normal -> release blocker ___ Python tracker __

[issue30730] [security] Injecting environment variable in subprocess on Windows

Serhiy Storchaka added the comment: Isn't "Type: security" enough? If you want you could patch Roundup for highlighting security issues. -- ___ Python tracker ___ __

[issue30730] [security] Injecting environment variable in subprocess on Windows

Changes by STINNER Victor : -- title: Injecting environment variable in subprocess on Windows -> [security] Injecting environment variable in subprocess on Windows ___ Python tracker __