Message 316716 - Python tracker

Message316716

Author	eryksun
Recipients	abigail, docs@python, eryksun, paul.moore, steve.dower, tim.golden, zach.ware
Date	2018-05-15.20:17:31
SpamBayes Score	-1.0
Marked as misclassified	Yes
Message-id	<1526415451.46.0.682650639539.issue33515@psf.upfronthosting.co.za>
In-reply-to

Content
There's no simple workaround for this behavior. All we can reasonably do is document that running a batch script directly has the same security risks as using shell=True. CMD doesn't support a file argument. It only supports running a /c or /k command, which can include running multiple commands joined by the &, &&, or \|\| operators. CreateProcess thus executes a .bat or .cmd script by prepending "%ComSpec% /c" to the command line. If %ComSpec% isn't defined, it defaults to "%SystemRoot%\System32\cmd.exe /c". Environment variables in a command can be escaped in most cases by inserting the "^" escape character after the first "%" character. This disrupts matching the variable name (unless a variable name happens to start with "^"). The escape character itself gets skipped as long as it isn't quoted literally.

Content

There's no simple workaround for this behavior. All we can reasonably do is document that running a batch script directly has the same security risks as using shell=True. 

CMD doesn't support a file argument. It only supports running a /c or /k command, which can include running multiple commands joined by the &, &&, or || operators. CreateProcess thus executes a .bat or .cmd script by prepending "%ComSpec% /c" to the command line. If %ComSpec% isn't defined, it defaults to "%SystemRoot%\System32\cmd.exe /c".

Environment variables in a command can be escaped in most cases by inserting the "^" escape character after the first "%" character. This disrupts matching the variable name (unless a variable name happens to start with "^"). The escape character itself gets skipped as long as it isn't quoted literally.

History
Date	User	Action	Args
2018-05-15 20:17:31	eryksun	set	recipients: + eryksun, paul.moore, tim.golden, docs@python, zach.ware, steve.dower, abigail
2018-05-15 20:17:31	eryksun	set	messageid: <1526415451.46.0.682650639539.issue33515@psf.upfronthosting.co.za>
2018-05-15 20:17:31	eryksun	link	issue33515 messages
2018-05-15 20:17:31	eryksun	create