-
-
Notifications
You must be signed in to change notification settings - Fork 32.4k
Closed
Labels
3.10only security fixesonly security fixes3.11only security fixesonly security fixes3.7 (EOL)end of lifeend of life3.8 (EOL)end of lifeend of life3.9only security fixesonly security fixesOS-windowsrelease-blockertype-bugAn unexpected behavior, bug, or errorAn unexpected behavior, bug, or errortype-securityA security issueA security issue
Description
Bug report - Undocumented risky behaviour in subprocess module
When using subprocess.Popen
with shell=True
on Windows and without a COMSPEC
environment variable, a cmd.exe
is launched. The problem is the cmd.exe
full path is not written, Windows will search the executable in the current directory and in the PATH. If an arbitrary executable file is written to the current directory or to a directory in the PATH, it can be run instead of the real cmd.exe.
See the code here and a POC here.
- This risky behaviour can be patched by replacing
cmd.exe
string byC:\WINDOWS\system32\cmd.exe
. - If the behavior was chosen by python developers, it should be documented.
Linked PRs
- gh-101283: Try to load the fallback cmd.exe by an absolute path #101286
- [3.10] gh-101283: Improved fallback logic for subprocess with shell=True on Windows (GH-101286) #101708
- [3.9] gh-101283: Improved fallback logic for subprocess with shell=True on Windows (GH-101286) #101709
- [3.8] gh-101283: Improved fallback logic for subprocess with shell=True on Windows (GH-101286) #101710
- [3.11] gh-101283: Improved fallback logic for subprocess with shell=True on Windows (GH-101286) #101711
- gh-101283: Fix use of unbound variable #101712
- [3.7] gh-101283: Improved fallback logic for subprocess with shell=True on Windows (GH-101286) #101713
- gh-101283: Version was just released, so should be changed in 3.11.3 #101719
- [3.11] gh-101283: Version was just released, so should be changed in 3.11.3 (GH-101719) #101721
- gh-101283: Fix the
versionchanged
of gh-101283 (3.12 only) #101728
arhadthedev and Raj-Patnaik-ML
Metadata
Metadata
Assignees
Labels
3.10only security fixesonly security fixes3.11only security fixesonly security fixes3.7 (EOL)end of lifeend of life3.8 (EOL)end of lifeend of life3.9only security fixesonly security fixesOS-windowsrelease-blockertype-bugAn unexpected behavior, bug, or errorAn unexpected behavior, bug, or errortype-securityA security issueA security issue
Projects
Status
Done