Environment variables injection in subprocess on Windows¶

Warning

This resource is maintained for historical reference and does not contain the latest vulnerability info for Python.

The canonical database for vulnerabilities affecting Python is available on GitHub in the Open Source Vulnerability (OSV) format. This database can be viewed online at the Open Source Vulnerability Database.

On Windows, prevent passing invalid environment variables and command arguments to subprocess.Popen.

It is possible to inject an environment variable in subprocess on Windows if a user data is passed to a subprocess via environment variable.

Check for invalid environment (variable names containing ‘=’) and command arguments (containing ‘0’).

Dates:

Fixed In¶

Python 2.7.14 (2017-09-16) fixed by commit 9dda2ca (branch 2.7) (2017-06-24)
Python 3.3.7 (2017-09-19) fixed by commit e46f1c1 (branch 3.3) (2017-07-19)
Python 3.4.7 (2017-08-09) fixed by commit fe82c46 (branch 3.4) (2017-07-11)
Python 3.5.4 (2017-08-07) fixed by commit a7c0264 (branch 3.5) (2017-06-23)
Python 3.6.2 (2017-07-08) fixed by commit a9b16cf (branch 3.6) (2017-06-23)
Python 3.7.0 (2018-06-27) fixed by commit d174d24 (branch 3.7) (2017-06-23)

[security] Injecting environment variable in subprocess on Windows.

Timeline using the disclosure date 2017-06-22 as reference: