[New-bugs-announce] [issue30730] Injecting environment variable in subprocess on Windows
Serhiy Storchaka
report at bugs.python.org
Thu Jun 22 04:07:00 EDT 2017
New submission from Serhiy Storchaka:
It is possible to inject an environment variable in subprocess on Windows if a user data is passed to a subprocess via environment variable.
Provided PR fixes this vulnerability. It also adds other checks for invalid environment (variable names containing '=') and command arguments (containing '\0').
This was a part of issue13617, but extracted to a separate issue due to increased severity.
----------
components: Extension Modules
messages: 296618
nosy: paul.moore, serhiy.storchaka, steve.dower, tim.golden, zach.ware
priority: normal
severity: normal
stage: patch review
status: open
title: Injecting environment variable in subprocess on Windows
type: security
versions: Python 2.7, Python 3.5, Python 3.6, Python 3.7
_______________________________________
Python tracker <report at bugs.python.org>
<http://bugs.python.org/issue30730>
_______________________________________
More information about the New-bugs-announce
mailing list