.. _env-var-injection-subprocess-windows:

Environment variables injection in subprocess on Windows
========================================================

.. warning::
    This resource is maintained for historical reference and **does not contain the latest vulnerability info for Python**.

    The `canonical database for vulnerabilities affecting Python <https://github.com/psf/advisory-database>`_ is available on GitHub
    in the Open Source Vulnerability (OSV) format. This database can be viewed online at the
    `Open Source Vulnerability Database <https://osv.dev/list?ecosystem=&q=PSF>`_.

On Windows, prevent passing invalid environment variables and command
arguments to subprocess.Popen.

It is possible to inject an environment variable in subprocess on Windows
if a user data is passed to a subprocess via environment variable.

Check for invalid environment (variable names containing '=') and command
arguments (containing '\0').

Dates:

* Disclosure date: **2017-06-22** (Python issue bpo-30730 reported)

Fixed In
--------

* Python **2.7.14** (2017-09-16) fixed by `commit 9dda2ca (branch 2.7) <https://github.com/python/cpython/commit/9dda2caca8edc7ff1285f6b0d1c5279b51854b7d>`_ (2017-06-24)
* Python **3.3.7** (2017-09-19) fixed by `commit e46f1c1 (branch 3.3) <https://github.com/python/cpython/commit/e46f1c19642ea1882f427d8246987ba49351a97d>`_ (2017-07-19)
* Python **3.4.7** (2017-08-09) fixed by `commit fe82c46 (branch 3.4) <https://github.com/python/cpython/commit/fe82c46327effc124ff166e1fa1e611579e1176b>`_ (2017-07-11)
* Python **3.5.4** (2017-08-07) fixed by `commit a7c0264 (branch 3.5) <https://github.com/python/cpython/commit/a7c0264735f46afab13771be4218d8eab0d7dc91>`_ (2017-06-23)
* Python **3.6.2** (2017-07-08) fixed by `commit a9b16cf (branch 3.6) <https://github.com/python/cpython/commit/a9b16cff35811f88cdfeb4f50758140dfff36ebc>`_ (2017-06-23)
* Python **3.7.0** (2018-06-27) fixed by `commit d174d24 (branch 3.7) <https://github.com/python/cpython/commit/d174d24a5d37d1516b885dc7c82f71ecd5930700>`_ (2017-06-23)

Python issue
------------

[security] Injecting environment variable in subprocess on Windows.

* Python issue: `bpo-30730 <https://bugs.python.org/issue30730>`_
* Creation date: 2017-06-22
* Reporter: Serhiy Storchaka

Timeline
--------

Timeline using the disclosure date **2017-06-22** as reference:

* 2017-06-22: `Python issue bpo-30730 <https://bugs.python.org/issue30730>`_ reported by Serhiy Storchaka
* 2017-06-23 (**+1 days**): `commit a7c0264 (branch 3.5) <https://github.com/python/cpython/commit/a7c0264735f46afab13771be4218d8eab0d7dc91>`_
* 2017-06-23 (**+1 days**): `commit a9b16cf (branch 3.6) <https://github.com/python/cpython/commit/a9b16cff35811f88cdfeb4f50758140dfff36ebc>`_
* 2017-06-23 (**+1 days**): `commit d174d24 (branch 3.7) <https://github.com/python/cpython/commit/d174d24a5d37d1516b885dc7c82f71ecd5930700>`_
* 2017-06-24 (**+2 days**): `commit 9dda2ca (branch 2.7) <https://github.com/python/cpython/commit/9dda2caca8edc7ff1285f6b0d1c5279b51854b7d>`_
* 2017-07-08 (**+16 days**): Python 3.6.2 released
* 2017-07-11 (**+19 days**): `commit fe82c46 (branch 3.4) <https://github.com/python/cpython/commit/fe82c46327effc124ff166e1fa1e611579e1176b>`_
* 2017-07-19 (**+27 days**): `commit e46f1c1 (branch 3.3) <https://github.com/python/cpython/commit/e46f1c19642ea1882f427d8246987ba49351a97d>`_
* 2017-08-07 (**+46 days**): Python 3.5.4 released
* 2017-08-09 (**+48 days**): Python 3.4.7 released
* 2017-09-16 (**+86 days**): Python 2.7.14 released
* 2017-09-19 (**+89 days**): Python 3.3.7 released
* 2018-06-27: Python 3.7.0 released