[issue33515] subprocess.Popen on a Windows batch file always acts as if shell=True
Eryk Sun
report at bugs.python.org
Tue May 15 16:17:31 EDT 2018
Eryk Sun <eryksun at gmail.com> added the comment:
There's no simple workaround for this behavior. All we can reasonably do is document that running a batch script directly has the same security risks as using shell=True.
CMD doesn't support a file argument. It only supports running a /c or /k command, which can include running multiple commands joined by the &, &&, or || operators. CreateProcess thus executes a .bat or .cmd script by prepending "%ComSpec% /c" to the command line. If %ComSpec% isn't defined, it defaults to "%SystemRoot%\System32\cmd.exe /c".
Environment variables in a command can be escaped in most cases by inserting the "^" escape character after the first "%" character. This disrupts matching the variable name (unless a variable name happens to start with "^"). The escape character itself gets skipped as long as it isn't quoted literally.
----------
assignee: -> docs at python
components: +Documentation
keywords: +security_issue
nosy: +docs at python, eryksun
stage: -> needs patch
versions: +Python 3.7, Python 3.8
_______________________________________
Python tracker <report at bugs.python.org>
<https://bugs.python.org/issue33515>
_______________________________________
More information about the Python-bugs-list
mailing list