Environment variables injection in subprocess on Windows

On Windows, prevent passing invalid environment variables and command arguments to subprocess.Popen.

It is possible to inject an environment variable in subprocess on Windows if a user data is passed to a subprocess via environment variable.

Check for invalid environment (variable names containing ‘=’) and command arguments (containing ‘0’).

  • Disclosure date: 2017-06-22 (Python issue #30730 reported)

Fixed In

Python issue

[security] Injecting environment variable in subprocess on Windows.

  • Python issue: issue #30730
  • Creation date: 2017-06-22
  • Reporter: Serhiy Storchaka

Timeline

Timeline using the disclosure date 2017-06-22 as reference:

  • 2017-06-22: Python issue #30730 reported by Serhiy Storchaka
  • 2017-06-23 (+1 days): commit a7c0264
  • 2017-06-23 (+1 days): commit a9b16cf
  • 2017-06-24 (+2 days): commit 9dda2ca
  • 2017-07-11 (+19 days): commit fe82c46
  • 2017-07-17 (+25 days): Python 3.6.2 released
  • 2017-07-19 (+27 days): commit e46f1c1
  • 2017-08-08 (+47 days): Python 3.5.4 released
  • 2017-08-09 (+48 days): Python 3.4.7 released
  • 2017-09-17 (+87 days): Python 2.7.14 released
  • 2017-09-19 (+89 days): Python 3.3.7 released