[3.6] bpo-30730: Prevent environment variables injection in subproces… · python/cpython@e713575
@@ -644,6 +644,46 @@ def test_empty_env(self):
644644# environment
645645b"['__CF_USER_TEXT_ENCODING']"))
646646647+def test_invalid_cmd(self):
648+# null character in the command name
649+cmd = sys.executable + '\0'
650+with self.assertRaises(ValueError):
651+subprocess.Popen([cmd, "-c", "pass"])
652+653+# null character in the command argument
654+with self.assertRaises(ValueError):
655+subprocess.Popen([sys.executable, "-c", "pass#\0"])
656+657+def test_invalid_env(self):
658+# null character in the enviroment variable name
659+newenv = os.environ.copy()
660+newenv["FRUIT\0VEGETABLE"] = "cabbage"
661+with self.assertRaises(ValueError):
662+subprocess.Popen([sys.executable, "-c", "pass"], env=newenv)
663+664+# null character in the enviroment variable value
665+newenv = os.environ.copy()
666+newenv["FRUIT"] = "orange\0VEGETABLE=cabbage"
667+with self.assertRaises(ValueError):
668+subprocess.Popen([sys.executable, "-c", "pass"], env=newenv)
669+670+# equal character in the enviroment variable name
671+newenv = os.environ.copy()
672+newenv["FRUIT=ORANGE"] = "lemon"
673+with self.assertRaises(ValueError):
674+subprocess.Popen([sys.executable, "-c", "pass"], env=newenv)
675+676+# equal character in the enviroment variable value
677+newenv = os.environ.copy()
678+newenv["FRUIT"] = "orange=lemon"
679+with subprocess.Popen([sys.executable, "-c",
680+'import sys, os;'
681+'sys.stdout.write(os.getenv("FRUIT"))'],
682+stdout=subprocess.PIPE,
683+env=newenv) as p:
684+stdout, stderr = p.communicate()
685+self.assertEqual(stdout, b"orange=lemon")
686+647687def test_communicate_stdin(self):
648688p = subprocess.Popen([sys.executable, "-c",
649689'import sys;'