Message296618
| Author | serhiy.storchaka |
|---|---|
| Recipients | paul.moore, serhiy.storchaka, steve.dower, tim.golden, zach.ware |
| Date | 2017-06-22.08:06:59 |
| SpamBayes Score | -1.0 |
| Marked as misclassified | Yes |
| Message-id | <1498118820.13.0.596038385019.issue30730@psf.upfronthosting.co.za> |
| In-reply-to |
| Content | |
|---|---|
It is possible to inject an environment variable in subprocess on Windows if a user data is passed to a subprocess via environment variable. Provided PR fixes this vulnerability. It also adds other checks for invalid environment (variable names containing '=') and command arguments (containing '\0'). This was a part of issue13617, but extracted to a separate issue due to increased severity. |
|
| History | |||
|---|---|---|---|
| Date | User | Action | Args |
| 2017-06-22 08:07:00 | serhiy.storchaka | set | recipients: + serhiy.storchaka, paul.moore, tim.golden, zach.ware, steve.dower |
| 2017-06-22 08:07:00 | serhiy.storchaka | set | messageid: <1498118820.13.0.596038385019.issue30730@psf.upfronthosting.co.za> |
| 2017-06-22 08:06:59 | serhiy.storchaka | link | issue30730 messages |
| 2017-06-22 08:06:59 | serhiy.storchaka | create | |