Environment variables injection in subprocess on Windows

On Windows, prevent passing invalid environment variables and command arguments to subprocess.Popen.

It is possible to inject an environment variable in subprocess on Windows if a user data is passed to a subprocess via environment variable.

Check for invalid environment (variable names containing ‘=’) and command arguments (containing ‘0’).

  • Disclosure date: 2017-06-22 (Python issue bpo-30730 reported)

Fixed In

Vulnerable Versions

  • Python 3.7

Python issue

[security] Injecting environment variable in subprocess on Windows.

  • Python issue: bpo-30730
  • Creation date: 2017-06-22
  • Reporter: Serhiy Storchaka

Timeline

Timeline using the disclosure date 2017-06-22 as reference: