[security][3.4] bpo-30730: Prevent environment variables injection in… · python/cpython@fe82c46
@@ -606,6 +606,46 @@ def test_empty_env(self):
606606# environment
607607b"['__CF_USER_TEXT_ENCODING']"))
608608609+def test_invalid_cmd(self):
610+# null character in the command name
611+cmd = sys.executable + '\0'
612+with self.assertRaises(ValueError):
613+subprocess.Popen([cmd, "-c", "pass"])
614+615+# null character in the command argument
616+with self.assertRaises(ValueError):
617+subprocess.Popen([sys.executable, "-c", "pass#\0"])
618+619+def test_invalid_env(self):
620+# null character in the enviroment variable name
621+newenv = os.environ.copy()
622+newenv["FRUIT\0VEGETABLE"] = "cabbage"
623+with self.assertRaises(ValueError):
624+subprocess.Popen([sys.executable, "-c", "pass"], env=newenv)
625+626+# null character in the enviroment variable value
627+newenv = os.environ.copy()
628+newenv["FRUIT"] = "orange\0VEGETABLE=cabbage"
629+with self.assertRaises(ValueError):
630+subprocess.Popen([sys.executable, "-c", "pass"], env=newenv)
631+632+# equal character in the enviroment variable name
633+newenv = os.environ.copy()
634+newenv["FRUIT=ORANGE"] = "lemon"
635+with self.assertRaises(ValueError):
636+subprocess.Popen([sys.executable, "-c", "pass"], env=newenv)
637+638+# equal character in the enviroment variable value
639+newenv = os.environ.copy()
640+newenv["FRUIT"] = "orange=lemon"
641+with subprocess.Popen([sys.executable, "-c",
642+'import sys, os;'
643+'sys.stdout.write(os.getenv("FRUIT"))'],
644+stdout=subprocess.PIPE,
645+env=newenv) as p:
646+stdout, stderr = p.communicate()
647+self.assertEqual(stdout, b"orange=lemon")
648+609649def test_communicate_stdin(self):
610650p = subprocess.Popen([sys.executable, "-c",
611651'import sys;'